Information

Vulnerability Disclosure Policy

This Vulnerability Disclosure Policy applies to any vulnerabilities you are considering reporting to TOPAZ Technologies. We recommend reading this policy fully before you report a vulnerability.

 

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue and TOPAZ Technologies will not recommend or pursue legal action related to your research. However, we do not offer monetary rewards for vulnerability disclosures.

TOPAZ Technologies Vulnerability Disclosure Policy

This policy describes the finding, testing and reporting of vulnerabilities discovered to TOPAZ Technologies, LLC of website addresses owned by TOPAZ Technologies, LLC: https://topazti.com

 

Purpose

The purpose of the Threat Management (THR) policy is to establish a capability to proactively govern technology-related threats to the security and privacy of the organization’s systems, data, and business processes.

Scope

All systems and services associated with the domains listed below are in scope. Likewise, subdomains of each listing, unless explicitly excluded, are always in scope. Additionally, any website published with a link to this policy shall be considered in scope. Vulnerabilities found in non-TOPAZ Technologies systems from our vendors fall outside the scope of this policy and should be reported directly to the vendor according to their disclosure policy (if any).

Though we develop and maintain other internet-accessible systems or services, we ask that active research only be conducted on the systems and services covered by the scope of this document. If there is a system not in scope that you think merits inclusion, please contact us to discuss it first. We will increase the scope of this policy over time as required.

DOMAIN:

topazti.com

 

Authorization

This Vulnerability Disclosure Policy applies to any vulnerabilities you are considering reporting to TOPAZ Technologies. We recommend reading this policy fully before you report a vulnerability.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue and TOPAZ Technologies will not recommend or pursue legal action related to your research. However, we do not offer monetary rewards for vulnerability disclosures.

 

Guidelines

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not intentionally compromise the privacy or safety of TOPAZ Technologies personnel, TOPAZ Technologies customers, or any third parties.
  • Do not intentionally compromise the intellectual property or other commercial or financial interests of any TOPAZ Technologies personnel or entities, TOPAZ Technologies customers, or any third parties.

Once you have established that a vulnerability exists or encounter any sensitive data (including Personally Identifiable Information (PII), financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

 

Rules of Engagement

Security Researchers Must Not:

  • Contravene any applicable law or regulations.
  • Test any system other than the systems set forth in the ‘Scope’ section (above).
  • Disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections (below).
  • Engage in physical testing of facilities or resources.
  • Engage in social engineering.
  • Send unsolicited electronic mail to TOPAZ Technologies personnel or customers, including “phishing” messages.
  • Execute or attempt to execute any form of “Denial of Service” attack.
  • Introduce malicious software.
  • Test in a manner that could degrade the operation of TOPAZ Technologies systems or intentionally impair, disrupt, or disable TOPAZ Technologies systems.

  • Test third-party applications, websites, or services that integrate with or link to or from TOPAZ Technologies systems.

  • Delete, alter, share, retain, or destroy TOPAZ Technologies data, or render TOPAZ Technologies data inaccessible.

  • Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on TOPAZ Technologies systems, or “pivot” to other TOPAZ Technologies systems.

Security Researchers May:

  • View or store TOPAZ Technologies nonpublic data only to the extent necessary to document the presence of a potential vulnerability.

Security Researchers Must:

  • Cease testing and notify us immediately upon discovery of a vulnerability.

  • Cease testing and notify us immediately upon discovery of exposure of nonpublic data.

  • Purge any stored TOPAZ Technologies nonpublic data upon reporting a vulnerability.

 

Reporting a Vulnerability

We accept vulnerability reports at info@topazti.com

Information submitted under this policy will be used for defensive purposes only i.e., to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely TOPAZ Technologies, we may share your report with the Cybersecurity and Infrastructure Security Agency (CISA), where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

By submitting a vulnerability, you are indicating that you have read, understood, and agreed to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to TOPAZ Technologies information systems. You also consent to having the contents of the communication and follow-up communications stored on a TOPAZ Technologies system.

To help us triage and prioritize submissions, we ask that your reports include:

  • The website, IP, or page where the vulnerability can be observed.
  • A brief description of the type of vulnerability e.g., “XSS vulnerability.”
  • Steps to reproduce. These should be benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeover.
  • Description of the circumstances, including date(s) and time(s), leading to you reporting the suspected vulnerability.
  • Where applicable, provide your name, email address, and cell number so that we may contact you for clarifications.

Disclosure

TOPAZ Technologies is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in the absence of a readily available corrective action increases as opposed to decreases the risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us. We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. We will not share your name or contact information without express permission.