Modio Disclosure Statement

At Modio we develop software for infrastructure, so security is key. At the same time we are humanoids, prone to out of coffee errors and other faults in production. So we love your feedback, and we are happy that you share your findings about our products with us. This page provides contact details and information on how to proceed when you have discovered a vulnerability.

email

You can reach us at security@modio.se

vpn_key

You may use our PGP public key to encrypt your email submission to us. ID 26EB1A1212445F54 fingerprint B8BD 40EC D6CF E4F7 29FD 39ED 26EB 1A12 1244 5F54

message

For non security related contacts see contact page.

What we would like you to do

Please follow these guidelines when reporting a security or privacy vulnerability. The faster we can verify and reproduce the issue, the faster we are able to react.

pan_tool Credit

Please tell us if you want to be credited for this report or if you want to stay anonymous.

translate Language

Please provide all information in English if possible, which is the preferred language, but if that is hard for you, just do a short summary in English, Swedish, Arabic, Kiswahili, German or Dutch, and then in the language you prefer, we will sort it out.

perm_phone_msg Contact information

Please provide all necessary contact information (contact names, organization name, tracking numbers, email addresses, phone numbers) so that we can get in touch with you.

settings Environment

Please give us details of the environment in which you found the vulnerability. This might include, but is not limited to:

  • exact product description, including name and version number(s), product configuration details, etc.
  • network configuration details
  • date and time of testing
  • any possible preconditions necessary to reproduce the issue

settings_input_component Details

Please give us details about the tools used during your investigation. Not only does it help us to reproduce the issue, it might also be a useful addition to our product security testing toolsuite.

developer_mode Code

If you wrote any specific exploit code please provide a copy.

insert_comment Additional information

Please provide us with any additional thoughts and information regarding your finding. If you know the vulnerability is being actively exploited please also tell us about it!

wifi_tethering Who else knows?

Please tell us whether you notified anybody else about the vulnerability, e.g., vulnerability coordinators, regulatory bodies, other affected vendors, etc.

vpn_key Encryption

Please encrypt your mail to us using our PGP public key. Make sure to also encrypt attachments of your mail (PGP/MIME).

What we will do

confirmation_number Receipt of Vulnerability

  • Modio will send you a receipt confirmation within 24 hours.
  • You will be provided with a direct contact person.

local_library Verification

  • The product team will attempt to reproduce the issue.
  • You may be asked for further information needed to reproduce your finding.
  • You will be notified with the result of the investigation.
  • This is usually done within 5 business days
  • If you were right, congratulations we owe you at least a beer and an acknowledgement.

update Resolution Development

  • In a detailed analysis we’ll figure out the root cause of the vulnerability.
  • We’ll find out whether other products and versions are also affected.
  • We’ll assess the severity of the finding
  • Our product teams will work on developing a resolution for the vulnerability.

track_changes Quality Assurance

  • The new software-version will go through our QA and testing process to ensure that a) the issue is resolved, b) no new vulnerabilities are introduced, and c) the intended behaviour of the product was not affected by the fix.
  • All product’s security engineers are informed of the issues, to make sure it won’t occur again.

question_answer 3rd party communication

  • If the root cause lies in an external component, we’ll communicate this vulnerability to the 3rd party and advise you of that notification. In such case, please inform us whether you would permit us to provide your information to the 3rd party.

cloud_upload Release

  • If the vulnerability is publicly known or known to be actively exploited, we may publish an advisory before remediation is available. We will credit you for the finding of course.
  • The fixed version will be released and deployed.
  • We strive to push out security releases within two weeks after verification, but sometimes we do not own the root cause, or we are dependent on another product and it can take longer time.
  • Directly after deployment you are very welcome to publish the vulnerability.

Responsible security testing

While we value your investigation efforts, please conduct testing in safe environments.

done_all

NEVER perform security testing on devices actively in use! This includes devices that are in standby mode and might be actively used after your investigation. Please be aware that security testing might have side-effects on the product that are not directly visible. When in doubt, contact Modio.

done_all

For web-based systems, never perform analysis on production systems. Use a demo, test or configuration system instead.

done_all

If you have found a vulnerability, use it only as reasonably necessary to demonstrate the vulnerability.

done_all

Never make changes to systems that are going to be used after your testing. If you do decommission the product after making the change. Most vulnerabilities can be proven by read-only, non-modifying operations.

Coordinated disclosure

We want to make sure that users of our systems are not unnecessarily put at risk. If you plan to publicly disclose a potential vulnerability, please inform us of your plans.

We encourage you to work with Modio to coordinate or synchronize the public release of information. We love to give you the honour of disclosure after we have fixed the problem. If the vulnerability is verified, Modio will give credit to the researcher reporting the vulnerability in the published security advisory, if requested.

Notice

In case you decide to share any information with Modio, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Modio is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Modio. Modio will credit you where-ever possible if you haven’t chosen to stay anonymous.