At Mitchell & Brown, our unwavering commitment to software security and safeguarding your data underscores our corporate ethos. We hold transparency and community engagement in high regard, recognising their pivotal role in fostering trust and accountability. We pledge to diligently address any security concerns that may arise in the utilisation of our products.
Introduction
This Vulnerability Disclosure Policy shows the framework for reporting vulnerabilities to our organisation. We urge individuals to thoroughly acquaint themselves with this policy prior to reporting any vulnerabilities and adhere to its stipulations carefully.
We deeply value the dedication and effort of those who bring security vulnerabilities to our attention in accordance with this policy. However, it’s important to note that we do not offer monetary incentives for such disclosures.
Reporting
Should you encounter a potential security vulnerability, we encourage you to promptly submit a detailed report to us via email at customerservice@mitchellandbrown.co.uk. Your report should encompass the following elements:
• Identification of the model number where the vulnerability can be seen.
• Title of the vulnerability (mandatory).
• Comprehensive description of the vulnerability, including a summary, supporting documentation, and suggested mitigations or recommendations (mandatory).
• Assessment of the potential impact of the vulnerability (mandatory).
• Step-by-step reproduction instructions. These should demonstrate a proof of concept to facilitate swift and accurate action of the report and mitigate the risk of duplicate submissions or malicious exploitation, such as sub-domain takeovers.
• Contact Information: If you desire follow-up communication regarding the status of your report, please provide adequate contact details, such as your name and email address. While providing contact information is optional, rest assured that any details provided will be solely utilised for communication related to the reported vulnerability and will not be used for any other purpose. At Mitchell & Brown, safeguarding your privacy and data integrity is paramount, and we remain steadfast in our commitment to granting you control over your information.
What to Expect
Upon receipt of your report, and provided you have supplied contact information, we undertake to acknowledge receipt within 5-7 working days and aim to respond to your report within 25 working days.
Remediation priority is determined based on factors such as impact, severity, and exploit complexity.
Guidance
We emphasise adherence to the following guidelines:
• Compliance with all applicable laws and regulations.
• Limiting access to necessary data and refraining from accessing unnecessary or excessive data.
• Abstaining from modifying data within the organisation’s systems or services.
• Avoiding the use of high-intensity invasive or destructive scanning tools for vulnerability detection.
• Refraining from any form of denial-of-service attempts or reporting thereof.
• Exercising caution to prevent disruption of the organisation’s services or systems.
At Mitchell & Brown, we remain committed to upholding the highest standards of security while fostering transparency and collaboration with our valued community of users.
