Responsible Disclosure Policy

A policy to facilitate the secure reporting of vulnerabilities and policy violations.

This is a Controlled Document

In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.

Version	Effective	Reviewed	Next review due
1.0.0	2024-02-01	2024-02-01	2025-01-19

Purpose

This policy allows for the reporting and disclosure of concerns and vulnerabilities discovered by external entities, as well as anonymous reporting of information security policy violations by internal entities. These vulnerabilities or concerns usually relate to security, confidentiality, integrity, and availability failures, incidents, or concerns.

Scope

Vaxa’s Responsible Disclosure Policy applies to all Vaxa platforms and information security infrastructure. It applies to all employees and all third parties.

Roles & Responsibilities

Role	Responsibility
Security and Compliance Team	Review and assess vulnerability reports submitted to the `security+vulnerability@vaxagroup.com` inbox. Initiate the resolution process, communicate with the reporter, and track remediation efforts. Ensure compliance with legal and ethical standards throughout the process.
Product Security Team	Manage receipt and triage of vulnerability reports. Prioritise and assign resources for resolution. Maintain communication with external entities providing vulnerability reports, and acknowledge submissions within 2 business days. Provide public credit to the reporter upon successful resolution.
Managing Director/Directors	Act as the point of contact for individuals reporting retaliation, reprisal, or harassment related to whistleblowing. Ensure any instances of retaliation are addressed promptly and appropriately. Support and protect the whistleblower’s rights during an investigation.
Neutral Third Party (if necessary)	Assist in resolving communication issues or challenges related to the handling of a vulnerability. Facilitate communication between Vaxa and external entities if conflicts arise.

Policy Statement

Legal Position

Vaxa will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for all Vaxa products and services. We agree not to pursue legal action against individuals who, in good faith:

Engage in the testing of systems/research without harming Vaxa or its customers.
Engage in vulnerability testing within the scope of our vulnerability disclosure program.
Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software.
Adhere to the laws of their location and the location of Vaxa.
Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Vulnerability Reporting/Disclosure

How to Submit a Vulnerability

To submit a vulnerability report to Vaxa’s Product Security Team, please utilise the following email: security+vulnerability@vaxagroup.com.

A basic version of our responsible disclosure policy is also made available in the security.txt format on each of the Vaxa brands’ public-facing websites at /.well_known/security.txt.

Preference, Prioritisation, and Acceptance Criteria**

What we would like to see from you:

Well-written reports in English will have a higher probability of resolution.
Reports that include proof-of-concept code equip us to better triage.
Reports that include only crash dumps or other automated tool output may receive lower priority.
Reports that include products not on the initial scope list may receive lower priority.
Please include how you found the bug, the impact, and any potential remediation.
Please include any plans or intentions for public disclosure.

What you can expect from Vaxa:

Acknowledgement of your report within 2 business days.
After triage, we will send an expected resolution timeline. We commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
An open dialogue to discuss issues and resolution.
Notification when the vulnerability analysis has completed each stage of our review.
Public credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, Vaxa may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Whistleblowing

How to Submit a Report

To anonymously report an information security program violation or a violation of related laws and regulations, you can:

Send an email to security+whistleblow@vaxagroup.com.

We encourage you to use a temporary email service to protect your identity if desired.

Preference, Prioritisation, and Acceptance Criteria**

What we expect from you:

A detailed report made in good faith or based on a reasonable belief.
- Good faith: Truthful reporting of a company-related violation of information security policies, procedures, or regulations, as opposed to a report made with reckless disregard or willful ignorance of facts.
- Reasonable belief: The subjective belief in the truth of the disclosure and that any reasonable person in a similar situation would objectively believe based on the facts.
Details of the violation (i.e., what, how, why).
Facts about the reported event (i.e., who, where, when).
You are not responsible for investigating the alleged violation or determining fault or corrective measures.

What you can expect from Vaxa:

Your report will be submitted to the Security and Compliance Team for review.
Protection of your identity and confidentiality.
- Note: It may be necessary for your identity to be disclosed when a thorough investigation, compliance with the law, or due process of accused members is required.
Protection against any form of reprisal, retaliation, or harassment.
- If you believe that you are being retaliated against, immediately contact the Managing Director or other Director.
- Any retaliation or harassment against you will result in disciplinary action towards the instigator.
- Retaliation, reprisal, and harassment—from which you will be protected—can include:
  - Dismissal
  - Disadvantaging you in your employment or position
  - Discrimination between you and other employees or third parties
  - Harassment or intimidation
  - Harm or injury (including psychological injury)
  - Damage to property
  - Damage to reputation
- Note: Your right to protection does not extend to immunity for any personal wrongdoing alleged in the report and investigated. You may be liable for your own misconduct.
Due process for you and the accused member(s).
Corrective actions will be taken to resolve a verified violation, including reviewing and enhancing applicable policies and procedures if necessary.
Continuous information security awareness training and advice on your rights as a whistleblower.

Exceptions

Any exceptions to this policy must be approved by the Security and Compliance Team and properly documented.

Compliance & Monitoring

Compliance with this policy will be ensured by:

Regular reviews: Conducting regular reviews of reported vulnerabilities and policy violations.
Tracking remediation: Monitoring remediation efforts and ensuring timely resolution.
Transparent communication: Maintaining open communication with reporters throughout the process.
Whistleblower protection: Protecting whistleblowers from retaliation and ensuring their rights are upheld.
Audits: Performing periodic audits to ensure adherence to legal and ethical standards.

References

Information Security Policy

Last modified March 3, 2025: Merge pull request #15 from vaxa-tech/add-munki-docs (6d10186)