Responsible Disclosure Policy
In this policy, references to “Glasswall”, “us”, “we” and “our” mean Glasswall Ltd., a privately held company.
Glasswall was founded on the ideology that every file should be trusted, and we believe that companies and individuals should have the freedom to access and use technology in a safe and consistent manner.
We advocate transparency within the security industry, with a willingness and desire to share information with one another, creating a secure digital world for us all to enjoy.
Glasswall is committed to engaging positively with the research community that protects our company and customers. Therefore, we actively encourage anybody that has identified a vulnerability to work with us so that we can maintain the integrity, functionality, and confidentiality of our software.
The terms below apply to any website, application, or service distributed by or hosted by Glasswall.
Please use the form below OR the email address [email protected] to alert us to:
- Vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data, software, or services, or our customers’ data
- Applications that mimic, mislabel, misdirect, or “copycat” Glasswall, or phishing attacks even if they do not originate from Glasswall sources
- Written or verbal discussion, activities, or data in any public forum which you believe constitutes a threat to Glasswall, our employees or our customers
Disclosing a security concern to Glasswall
[pardot-form id=”17140″ title=”Responsible Disclosure Policy form”]
If you are uncomfortable sending any of the following content by email, you may mask or redact sensitive content.
Your submission should contain:
- Clear, descriptive summary of the vulnerability with accurate evidence (logs, screenshots, responses or other evidence).
- Include date of first discovery
- Tools involved with the discovery of the vulnerability.
- Detailed steps on how to reproduce the issue.
- Platform details including IP addresses, vulnerable endpoints, services etc.
- Personal assessment of exploitability, or the inherent risk of the issue.
- Your contact details (If you are not comfortable, please anonymise using the form here).
- Provide a detailed and complete submission
- Be sure to include your contact information so that Glasswall can communicate as necessary
- Be specific and detailed
- Treat the vulnerability report and any vulnerability as confidential information and not divulge to any third person (except disclosure to Glasswall) any such information until public disclosure is mutually agreed upon with Glasswall
- Report vulnerabilities in a vendor we integrate with or leaks of Glasswall customer data
- Do not break international, federal, state or local laws
- Put Glasswall data, employees or customers at risk
- Do any unsolicited testing that would result in a denial of service (DoS), attempt at physical access, or anything that could be considered social engineering against Glasswall employees
Glasswall has measures in place to ensure that reports of this nature are treated with high importance, and can be responded to quickly and effectively. Glasswall commits to responding to credible vulnerability disclosures that provide the required information within 48 business hours.
We will not respond to:
- Hoaxes or anonymous reports.
- Reports that are generic or lack evidence to be verified.
- Reports that bear no relevance to Glasswall as a company, its technologies, or its employees or customers.
- Reports that are non-actionable.
Glasswall believes in coordinated disclosure with regard to vulnerabilities that have been reported to us and fixed. We expect professional conduct and will seek to agree on reasonable timelines for updates and coordination with security researchers and others who may report vulnerabilities.
While we will work diligently to address vulnerabilities, we will work with you to set expectations on timeline for fixing a vulnerability and do not adhere to specific windows of time for fixes, or updates to the person who filed the report. We will disclose publicly alongside anyone who makes a report that helps us ensure our technologies, data, and employees are secure. At this time, we do not have a formal bug bounty program, but each submission will be reviewed on an individual basis in context to severity.
Please click here to report a vulnerability or information about any other relevant security issue.
Thank you for helping keep Glasswall secure!
We appreciate the efforts of the global security research community who work to identify vulnerabilities and collaborate with organizations like ours to create a fix and communicate responsibly to affected parties.