Responsible Disclosure Policy

Munisense values the security of its systems and the privacy of its users. Despite our efforts to create a secure environment, vulnerabilities may still be present. If you discover a security issue, we kindly ask you to report it to us in a responsible manner so that we can take appropriate measures and ensure the security of our systems.

Scope

This policy applies to all public systems and services of Munisense, including but not limited to our websites, applications, and APIs.

Guidelines for reporting

We kindly request that when discovering a vulnerability, you follow these guidelines:

• Report the vulnerability as soon as possible: Submit your findings using the method specified in this document.
• Provide a detailed description: Clearly and fully describe the vulnerability, including steps to reproduce it, so we can verify and resolve it quickly.
• Do not share the vulnerability with others until we have had a reasonable amount of time to resolve it.
• Respect privacy and data protection: Avoid accessing personal data, and do not modify or delete peronal data.
• Limit your actions to what is necessary: Do not exploit the vulnerability beyond what is required to demonstrate the issue.
• Do not use destructive methods: Do not perform actions that could impact the availability or integrity of our systems, such as denial-of-service attacks.
• Do not perform attacks on physical security, use social engineering, send spam or phishing, or use automated applications to scan for vulnerabilities.

What you can expect from us

When you report a vulnerability in accordance with these guidelines, you can expect the following:

• Quick confirmation of receipt: We will send an acknowledgment of your report within three business days.
• Transparency throughout the process: We will keep you informed of the progress and status of your report.
• No legal action: We will not take legal action against you if you act in good faith and report the vulnerability responsibly. However, this does not apply in cases of bad faith, such as extortion, deliberate data destruction, or reducing the availability of our systems.
• Confidentiality of your report: Your personal information will not be shared with third parties without your consent, unless legally required.

No reward policy

Munisense does not have a policy for rewarding the discovery of vulnerabilities. This decision was made because bounty programs are often misused, and significant time is spent evaluating reports that fall outside the scope or have no impact on security. We encourage responsible vulnerability reporting but do not offer financial or material rewards.

No invitation to probe

Our disclosure policy is not an invitation to actively scan our network extensively for vulnerabilities. We monitor our network ourselves. As a result, there is a high likelihood that a scan will be detected, prompting our team to investigate it, which may lead to unnecessary resources being spent on analyzing the activity.

Exclusions

This policy does not apply to:

• Vulnerabilities in third-party systems or services that are integrated with ours but are not under our direct control.
• Vulnerabilities that are already publicly known or have already been identified by us.

Contact

The most recent contact information is available in a security.txt file on our website: https://munisense.net/.well-known/security.txt

You may sign or encrypt your report using the PGP key with ID 5BB32F169E8A86ECD975EFC941C0170A0B6F7531 (RSA4096): https://munisense.net/.well-known/security-pgp-key.txt

And send it to: joffrey at munisense.com

Please clearly describe the vulnerability and how we can validate it.

You may submit your report anonymously or with your contact details. We will only use your contact information to reach out with questions or feedback regarding your report unless legally required to disclose it (e.g., for police investigations or court orders).

Final Remarks

We strive to continuously improve our systems and appreciate the assistance of the security community in identifying potential vulnerabilities. By working together, we can create a more secure digital environment for everyone.

Thank you for contributing to the security of Munisense.