Product Security

Effective Date: 10-Mar-2020
Last Updated: 10-Mar-2025

Vulnerability Disclosure Policy

 

Vulnerability Disclosure Policy

1. Introduction

At ctechdigital.com, we believe that vulnerability disclosure is a shared responsibility. Both vendors and security researchers must act responsibly to ensure that vulnerabilities are identified, addressed, and mitigated in a way that reduces risk to users and the wider technology community.

2. Coordinated Disclosure Commitment

When ctechdigital.com identifies security vulnerabilities through internal research or external engagement, we adhere to the following responsible disclosure process:

  • Vendors will be notified confidentially of the discovered vulnerabilities.

  • Full details will be shared publicly after 90 days from initial vendor contact, or earlier if a fix is released.

  • Affected vendors will receive a direct link to this policy and a clearly stated planned disclosure date.

  • We will provide reasonable assistance to vendors in understanding and mitigating the issue.

3. Communication Protocol

  • Initial contact will be made through known vendor security channels or appropriate alternatives.

  • If no acknowledgment is received within 7 days, follow-up contact attempts will be made through multiple channels.

  • If the vendor fails to acknowledge the report within 30 days, a final notice will be sent indicating full public disclosure in another 30 days.

  • If no remediation or acknowledgment is made, the vulnerability will be publicly disclosed 90 days after the initial contact attempt.

4. Disclosure Timeline Exceptions

4.1 Weekends and Holidays

If a disclosure deadline falls on a weekend or public holiday, the deadline will shift to the next working day.

4.2 Scheduled Patches

If a vendor informs us prior to the 90-day deadline that a patch is scheduled within 14 days of the original disclosure date, we will accommodate this delay. However, if the patch is delayed beyond this grace period, we reserve the right to proceed with disclosure.

4.3 Zero-Day Vulnerabilities (0day)

In the case of active exploitation of a previously unknown vulnerability (“0day“), we support accelerated disclosure within 7 days. This timeline enables users and defenders to take immediate protective action, such as applying mitigations or restricting access. If no patch or public advisory is issued within this period, we support researchers sharing vulnerability details.

4.4 Exceptional Circumstances

We reserve the right to adjust disclosure timelines in extreme or urgent situations. All vendors will be treated equally and held to consistent expectations.

5. Vendor Engagement Principles

  • We seek to establish confidential and constructive communication with vendors.

  • We value collaboration and transparency, prioritizing security over blame.

  • Our goal is to improve industry response times and provide clarity around expected timelines.

6. Policy Intent and Alignment

This policy aligns with industry best practices, including those set by leaders such as Google, and reflects our ongoing commitment to:

  • Responsible vulnerability research

  • Fair and equal treatment of vendors

  • Promoting safer technology through timely disclosure and collaboration

7. Stay Informed

For updates on our security research, insights, and responsible disclosure efforts, please visit the ctechdigital.com.

 

8. Contact Information

For inquiries about this policy or to exercise your rights, contact us at:

This Vulnerability Disclosure Policy reinforces ctechdigital.com’s commitment to ethical security practices and responsible coordination with vendors to reduce risk and protect users across the digital ecosystem.

Frequently Asked Questions

for Security Reporting on CTechdigital.com applications

How does ctechdigital.com define a data breach?

A data breach is any unauthorized access, disclosure, or loss of sensitive information due to accidental, malicious, or criminal activities. Examples include data theft, insider threats, and accidental exposure.

Who should report a data breach, and how?

Any employee, contractor, or third-party service provider who suspects a data breach must report it immediately to the Data Protection Officer (DPO) or IT Security team through the designated incident reporting process.

What steps does ctechdigital.com take when a breach occurs?

The company follows a structured response, including detecting and reporting the breach, containing its impact, assessing the damage, notifying affected parties, and implementing corrective actions to prevent future incidents.

When and how are affected individuals notified?

If personal data is compromised, affected individuals will receive prompt notifications detailing the nature of the breach, its impact, and mitigation steps. Regulatory bodies and law enforcement agencies will also be notified if required.

What preventive measures does ctechdigital.com take against data breaches?

Preventive actions include regular security audits, employee training on data protection, system monitoring, strict access controls, and periodic policy reviews to ensure compliance with evolving regulations.

What are the consequences of non-compliance with the Data Breach Policy?

Failure to comply with this policy may result in disciplinary action, contract termination, or legal consequences, depending on the severity of the violation.

Get Started

Let’s Build Something Together

Set Up a Free Online Consultation