Reporting security vulnerability
At PosAm, we take the security of our systems very seriously. We take care to provide our customers with solutions and services with a high level of protection.
At the same time, we perceive that the security of systems is not a static state but a process of continuous honest review and reassessment. The speed of response to a potential weakness can play a key role. That is why we recognize the work of the broad security community and appreciate the responsible communication of potential security vulnerability in a coordinated, constructive and transparent manner.
How to report a security vulnerability
If you discover a security vulnerability in our system or in our solutions or services, please report this fact to us as soon as possible by sending an email to vulnerability@posam.sk
We recommend encrypting the report with our PGP key.
Please provide the following information in your report:
- description of the vulnerability,
- the time and method of discovery of the vulnerability,
- the specification of the system, solution or service where the vulnerability was discovered,
- the steps needed to reproduce/verify the vulnerability,
- any other related information (code samples, log entries, screenshots, etc.) that will help us identify the vulnerability,
- your PGP key (for the encrypted response option).
Resolution process
Please allow us a reasonable amount of time to verify your report and fix the bugs before disclosing the vulnerability and sharing any information with others.
We would appreciate your cooperation in reproducing and verifying the submitted report.
During the resolution process, we will keep you informed of the progress and estimated time to resolve the issue.
Legal opinion
PosAm declares that it will not take legal action against whistleblowers of security vulnerabilities who act in accordance with this guideline. We will process the information provided by the whistleblower in a confidential manner and will not disclose his/her personal data to third parties without his/her consent. We do not provide a financial reward for reported vulnerabilities. As a token of appreciation, the whistleblower will be awarded the title of “Cyber Security Guardian” and, if he or she agrees, we will publish his or her name on our website along with a description of his or her merits.
Cyber Security Guardians
We are happy that no security vulnerability reports have been discovered or reported yet.