Security · Coordinated Disclosure
Vulnerability Disclosure Policy
securIT welcomes coordinated reports about security vulnerabilities. This page explains how to reach us, what to send, and how we handle disclosure.
Report a vulnerabilityLast updated: 2026-06-29
Overview
SIA SECURIT (“securIT”) welcomes coordinated reports about security vulnerabilities discovered by our team or responsibly reported to us in systems, software, and services that we are authorized to assess.
This policy describes how we coordinate vulnerability disclosure when securIT identifies or validates a vulnerability affecting our own services, third-party software, open-source projects, industrial/OT components, or related digital infrastructure. It applies both to issues we find and to reports we receive from external researchers.
How to report a vulnerability
Contact
Send vulnerability coordination messages to:
Machine-readable contact details are also published at /.well-known/security.txt (RFC 9116).
Please include
- ✓A clear description of the vulnerability.
- ✓Affected product, component, and version.
- ✓Steps to reproduce in a safe test environment.
- ✓Potential impact.
- ✓Any known public references or duplicate reports.
- ✓Your preferred credit line, if you would like to be acknowledged.
Our coordination process
- 1
Confirm the issue in a safe and lawful test environment.
- 2
Identify the affected vendor, maintainer, project, or responsible coordinator.
- 3
Check whether another CVE Numbering Authority (CNA) has a more specific scope.
- 4
Contact the affected party through their published security channel when available.
- 5
Share enough technical detail for validation and remediation.
- 6
Coordinate publication timing before public advisory release.
- 7
Publish a concise advisory after a fix, mitigation, or agreed disclosure point.
Disclosure timelines
Our default coordinated disclosure period is up to 90 calendar days after successful vendor or maintainer contact. We may adjust this timeline when:
- •The issue is already publicly known.
- •The vulnerability is being actively exploited.
- •The affected party confirms a different remediation schedule.
- •A coordinator such as a vendor CNA, CERT, CSIRT, CISA ICS, CERT@VDE, ENISA, or MITRE recommends a different process.
- •The affected party is unresponsive after repeated contact attempts.
CVE coordination
securIT may request, assign, or coordinate CVE IDs only when appropriate under CVE Program rules and scope. If another CNA has a more specific scope for the affected product, we will route the issue to that CNA or coordinator where appropriate.
For industrial control systems, OT, medical, or critical-infrastructure-related vulnerabilities, we may coordinate with vendor PSIRTs, CISA ICS, CERT@VDE, ENISA / CSIRT routes, or other relevant coordination bodies.
Research boundaries
securIT conducts and accepts research strictly within legal and ethical limits. The following activities are not authorized:
- ×Testing against live third-party systems without permission.
- ×Accessing, modifying, deleting, or exfiltrating third-party data.
- ×Persistence, lateral movement, destructive testing, or denial-of-service testing outside an approved lab.
- ×Public release of exploit code before coordination.
If you make a good-faith effort to comply with this policy during your research, we will treat your report as authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue quickly.
Advisory publication
Public advisories are published at securit.lv/advisories. Advisories may include affected versions, impact, CVE ID, CWE, CVSS score, remediation guidance, references, a disclosure timeline, and researcher credit.
A note on scope
This policy is not a bug bounty program and does not offer monetary rewards. It is intended to support responsible coordination and accurate public vulnerability information.