- Tel: +44 730 458210
- Fax: +44 730 458444
- Mail: support@Asset-Claims.com
Responsible Disclosure Policy – Asset Claims LTD
Responsible Disclosure at Asset Claims LTD
Welcome to the Responsible Disclosure Policy of Asset Claims LTD. This page outlines the principles that guide how Asset Claims LTD handles security vulnerabilities and ethical disclosures to protect users and systems worldwide.
1. Purpose and Scope – Asset Claims LTD
1.1 Program Mission
Encourage responsible reporting of vulnerabilities that may affect the security or privacy of Asset Claims LTD systems.
1.2 Applicability
This policy covers websites, APIs, applications, and systems owned and operated by Asset Claims LTD.
1.3 Target Audience
Independent security researchers, ethical hackers, and cybersecurity experts acting in good faith.
1.4 Governance Model
Asset Claims LTD revises this policy annually to align with global security standards and industry regulations.
2. Our Responsibilities – Asset Claims LTD
2.1 Timely Acknowledgment
We will acknowledge vulnerability reports within 3 business days of receipt.
2.2 Swift Investigation
Asset Claims LTD commits to triaging and analyzing reported vulnerabilities promptly.
2.3 Remediation Commitment
Critical vulnerabilities will be addressed with urgency, and all issues will be mitigated based on severity.
2.4 Researcher Recognition
Subject to Asset Claims LTD discretion, researchers may be publicly acknowledged for significant contributions.
3. Reporting Guidelines
3.1 Reporting Channel
All vulnerability reports must be submitted to security@asset-claims.com.
3.2 Submission Format
Reports should include detailed reproduction steps, technical analysis, and potential impact assessment.
3.3 Confidentiality
Asset Claims LTD ensures that personal researcher information remains confidential unless otherwise agreed.
3.4 Response Timeline
Investigations are conducted within defined SLAs based on the severity of the reported issue.
4. Asset Claims LTD’s Security Culture
4.1 Embedded Security
Security is integrated into every phase of our system development and operational processes.
4.2 Awareness Programs
Asset Claims LTD conducts regular cybersecurity awareness training for all employees.
4.3 Threat Modeling
We implement threat modeling practices to anticipate and mitigate risks proactively.
4.4 Vulnerability Management
We continuously monitor, detect, and address vulnerabilities across our environments.
5. Researcher Guidelines
5.1 Act in Good Faith
Researchers must avoid harming users, accessing private data, or disrupting systems.
5.2 Avoid Data Exfiltration
No copying, downloading, or exfiltration of company or customer data is permitted.
5.3 No Social Engineering
Do not use social engineering tactics such as phishing against employees or customers.
5.4 Scope Respect
Testing must remain within the predefined scope outlined by Asset Claims LTD.
6. Vulnerability Severity Classification
6.1 Critical Vulnerabilities
Immediate threats to data confidentiality, system availability, or integrity.
6.2 High Severity Issues
Issues posing substantial risk requiring swift resolution but not immediately critical.
6.3 Medium Severity
Risks mitigated through standard controls or procedural adjustments.
6.4 Low Severity Observations
Findings that do not pose significant risk but help strengthen overall security posture.
7. Scope Definition
7.1 Included Systems
Public websites, customer-facing APIs, and proprietary mobile applications.
7.2 Out-of-Scope Systems
Third-party systems and platforms not owned or operated directly by Asset Claims LTD.
7.3 Cloud Infrastructure
Certain elements of cloud-hosted infrastructure may be included with prior written consent.
7.4 Emerging Assets
Newly launched platforms will be assessed and added to the scope as applicable.
8. Prohibited Actions
8.1 Data Access
Accessing, modifying, or destroying any data is strictly prohibited.
8.2 Service Disruption
Denial-of-Service (DoS/DDoS) attacks, network stress testing, or similar activities are forbidden.
8.3 Phishing and Social Engineering
No phishing emails, phone scams, or impersonation tactics allowed under any circumstances.
8.4 Physical Testing
Physical security tests against facilities or personnel are out of scope.
9. How to Submit a Report
9.1 Email Submission
Send all reports to our dedicated security mailbox: security@asset-claims.com.
9.2 Required Information
Detailed description, proof of concept, and impact analysis must accompany all submissions.
9.3 PGP Encryption
Optionally encrypt reports with our published PGP key to maintain confidentiality.
9.4 Immediate Threats
For actively exploited vulnerabilities, urgent escalation paths are available upon request.
10. Response and Remediation Process
10.1 Triage Team Review
All reports are initially reviewed by our triage team to validate authenticity and severity.
10.2 Prioritization
Reports are categorized based on business impact and technical risk factors.
10.3 Fix Implementation
Our engineering teams work to deploy patches or configuration changes as required.
10.4 Final Validation
Post-remediation, independent verification is conducted to ensure the issue is fully resolved.
11. Communication with Researchers
11.1 Acknowledgment Response
Asset Claims LTD will send confirmation of receipt for all reports within 3 business days.
11.2 Status Updates
Researchers will be provided with periodic updates regarding progress on validation and remediation.
11.3 Collaboration
In cases requiring clarification, researchers may be contacted for additional information or assistance.
11.4 Disclosure Agreement
Asset Claims LTD may request nondisclosure during active remediation efforts to protect client security.
12. Public Recognition Program
12.1 Hall of Fame Eligibility
Researchers who comply with all rules and contribute valid vulnerabilities may be included in our Hall of Fame.
12.2 Consent for Listing
Public recognition will only occur with the researcher’s explicit consent.
12.3 Acknowledgment Timeline
Recognition, if granted, typically occurs within 30 days post-remediation.
12.4 No Monetary Rewards
Asset Claims LTD does not provide financial bounties; acknowledgment is honorary.
13. Confidentiality and Data Protection
13.1 Privacy Commitment
Asset Claims LTD protects the privacy of all reporters unless legally required otherwise.
13.2 Data Handling
Reports and associated communications are stored securely within encrypted systems.
13.3 Limited Access
Only authorized personnel within Asset Claims LTD have access to vulnerability information.
13.4 Data Retention Policy
Reports are retained for audit and compliance purposes for a minimum of 3 years.
14. Safe Harbor Policy
14.1 Good Faith Protection
Researchers acting in good faith within the boundaries of this policy will not face legal action.
14.2 Defined Boundaries
Good faith is contingent on avoiding data destruction, privacy violations, and service disruption.
14.3 Third-Party Involvement
Reports affecting third-party services should be submitted directly to the provider unless involving Asset Claims LTD data.
14.4 Protection Scope
Safe Harbor protections apply only when rules are respected throughout the research and reporting process.
15. Limitations of Liability
15.1 No Warranty
Asset Claims LTD provides no warranty regarding the processing of vulnerability reports.
15.2 Limited Remedies
No compensation, liability, or damages are extended for researchers beyond acknowledgment.
15.3 Service Disruptions
Asset Claims LTD is not liable for incidental disruptions stemming from good-faith vulnerability testing.
15.4 Jurisdiction
All legal matters arising from this program are governed by English law.
16. Program Modifications
16.1 Policy Updates
Asset Claims LTD may revise or terminate this policy at any time without prior notice.
16.2 Scope Changes
New assets, endpoints, or exclusions may be updated within scope documentation as necessary.
16.3 Researcher Notification
Major changes will be communicated via the Asset Claims LTD website or designated communication channels.
16.4 Version Control
All policy versions will be archived for compliance and transparency purposes.
17. Vulnerability Disclosure Timeline
17.1 Acknowledgment Phase
Receipt of report acknowledged within 3 business days.
17.2 Triage Phase
Initial triage and risk assessment conducted within 7 business days of acknowledgment.
17.3 Remediation Phase
Critical issues patched within 30 days; non-critical based on risk priority.
17.4 Public Disclosure Coordination
Researchers will be consulted regarding public disclosure timing post-remediation.
18. Importance of Responsible Disclosure for Asset Claims LTD
18.1 Collaborative Security
Working with researchers enhances the overall resilience of Asset Claims LTD’s systems.
18.2 Risk Reduction
Early detection of vulnerabilities significantly reduces risk exposure.
18.3 Regulatory Compliance
Responsible disclosure supports compliance with data protection and cybersecurity regulations.
18.4 Building Trust
Transparent handling of vulnerabilities strengthens customer and partner trust.
19. Researcher Code of Conduct
19.1 Ethical Behavior
Researchers must act ethically, avoiding harm or unauthorized exposure of data.
19.2 Professional Communication
All communications with Asset Claims LTD should remain courteous and professional.
19.3 No Exploitation
Exploiting vulnerabilities beyond proof of concept is strictly prohibited.
19.4 Respect for Scope
Testing activities must stay within the defined scope boundaries at all times.
20. Final Commitment from Asset Claims LTD
20.1 Long-Term Partnership
We value ongoing partnerships with the security research community worldwide.
20.2 Continuous Improvement
Asset Claims LTD is dedicated to improving our security infrastructure year after year.
20.3 Mutual Respect
We respect the work of ethical hackers and recognize their role in creating safer digital ecosystems.
20.4 Closing Statement
Thank you for collaborating with Asset Claims LTD in strengthening global cybersecurity defenses.