Security & Vulnerability Disclosure Policy
As a cybersecurity services provider, Shiryon holds itself to the same standard we advocate for our clients. If you believe you have found a security vulnerability affecting our own website or infrastructure, we want to hear from you, and we commit to working with good-faith researchers in a respectful, non-adversarial way.
1. Our Commitment
- We will acknowledge receipt of a good-faith report within [TBC — insert target response time, e.g. 2 business days].
- We will investigate promptly and keep you reasonably informed of progress.
- We will not pursue legal action against researchers who make a good-faith effort to comply with this policy.
2. Scope
In scope for this policy:
- This website and its directly associated infrastructure ([TBC — list in-scope domains/subdomains]).
Out of scope:
- Systems belonging to Shiryon's clients — these are covered under each client's own vulnerability disclosure or bug bounty program, if one exists, and must not be tested via this site's policy.
- Third-party services we rely on but do not operate ourselves (for example, Cloudflare or Google's infrastructure) — please report those issues directly to the relevant provider.
- Denial-of-service testing, spam, or any testing that degrades service for other visitors.
- Social engineering or phishing attempts directed at Shiryon staff.
- Physical security testing of any Shiryon facility.
3. Rules of Engagement
- Only test against explicitly in-scope assets listed above.
- Do not access, modify, or exfiltrate data that does not belong to you. Stop and report immediately if you encounter data that appears to belong to a third party.
- Do not run automated scanning tools at a volume or rate that could degrade service availability.
- Do not attempt to pivot from a discovered vulnerability into further exploitation beyond what is necessary to demonstrate impact (proof of concept only).
- Give us reasonable time to remediate before any public disclosure (coordinated disclosure — see Section 6).
4. How to Report
Send a report to [TBC — insert security/VDP contact email, e.g. security@[domain]] including:
- A clear description of the vulnerability and its potential impact.
- Step-by-step reproduction instructions, including the specific URL, endpoint, or component affected.
- Proof-of-concept detail (screenshots, request/response captures, or a short video) sufficient to verify the issue without unnecessary further exploitation.
- Your preferred contact method for follow-up.
[TBC — if a PGP key is available for encrypted reports, publish its fingerprint and a link to the public key here].
5. What Happens Next
- We acknowledge your report and assign it a severity rating.
- We investigate and validate the finding, contacting you if we need more information.
- We develop and deploy a remediation, and let you know once it is resolved.
- Where appropriate and with your permission, we credit researchers who report valid, previously unknown issues (see Section 6).
6. Coordinated Disclosure & Recognition
We ask that you give us a reasonable opportunity to investigate and remediate a reported issue before any public disclosure — typically [TBC — insert target remediation/disclosure window, e.g. 90 days] from acknowledgment, subject to extension for complex issues by mutual agreement. With your permission, we are happy to publicly credit researchers who responsibly report a valid, previously unreported vulnerability.
7. Safe Harbor
Activity conducted in good faith and in accordance with this policy is considered authorized. We will not initiate legal action, and will work to prevent legal action from being taken by others, in connection with research conducted consistently with this policy. This safe harbor applies only to the scope defined in Section 2 and only where the Rules of Engagement in Section 3 are followed.
8. Contact
Security reports: [TBC — insert security/VDP contact email]. General questions about this policy: [TBC — insert general contact email].