Coordinated Vulnerability Disclosure Policy

v1.0 Internal Security Engineering · Issued 2026-06-10

1. Scope

In-scope assets:

• Products listed at the vendor's public catalog (/lookup).
• Latest GA release and the immediately previous release of each product.
• First-party services run by the organization at production endpoints.

Out-of-scope:

• Social-engineering attacks against staff or supply-chain partners.
• Physical attacks against vendor or customer facilities.
• Denial-of-service attacks that interrupt customer service.
• Findings depending on outdated browsers (>2 versions old) or unsupported OS.
• Reports generated solely by automated scanners without exploit demonstration.

2. Reporting Channels

• Email: psirt@example.com
• Web form: https://cradar-demo.hr-st.com.tw/security/submit

3. Service Level Agreement

• Acknowledgment within 5 business days.
• Initial substantive response within 10 business days.
• Default coordinated-disclosure window: 90 days.

4. Safe Harbor

Researchers acting in good faith and respecting this policy will not face civil, criminal, or administrative action initiated by the vendor. Good faith requires: (1) testing only in-scope assets, (2) avoiding service disruption and data destruction, (3) not accessing data beyond what is necessary to prove impact, (4) reporting through the channels listed above before public disclosure.

5. Rewards

This vendor currently does not operate a monetary bug-bounty programme. Researchers consenting to be named may be acknowledged in our security advisories and hall-of-fame page.

6. Compliance Frameworks

• EU CRA (Regulation 2024/2847) Annex I Part II §2.5 + §2.6
• ISO/IEC 29147:2018 — Vulnerability disclosure
• ISO/IEC 30111:2019 — Vulnerability handling processes

Machine-readable version: cvd_policy.json
Downloadable DOCX: cvd_policy.docx
Related: /.well-known/security.txt (RFC 9116)