So that we may more effectively respond to your report, please provide any supporting material that would be useful in helping us understand the nature and severity of the vulnerability. The information you share with Simpluris as part of this process is kept confidential within Simpluris. Simpluris will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, Simpluris will only share this information as permitted by you.
Simpluris will review the submitted report and then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
Simpluris is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 72 hours, confirming receipt of your reported vulnerability. You will receive progress updates from Simpluris every five US working days.
To protect our class members, Simpluris requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed class members if needed. Also, please do not post or share any data belonging to our class members. Addressing a valid reported vulnerability will take time, and the timeline will depend upon the severity of the vulnerability and the affected systems.
Simpluris believes that security research performed in good faith should be provided safe harbor and subject to the conditions below. We look forward to working with security researchers who share our passion for protecting Simpluris class members.
The following activities are out of the scope of the Simpluris Vulnerability Reporting Program. Conducting any of the activities below will result in disqualification from the program permanently.
Once the report has been submitted, Simpluris will work to validate the reported vulnerability. If you need additional information to validate or reproduce the issue, Simpluris will work with you to get it. When the initial investigation is complete, results will be delivered to you, along with a plan for resolution and discussion of public disclosure. Confirmation of Non-Vulnerabilities: If the issue cannot be validated or is not found to originate in a Simpluris product, this will be shared with you. Vulnerability Classification: Simpluris uses version 3.1 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities.