PlaxidityX Coordinated Vulnerability Disclosure Policy

1. Introduction

At PlaxidityX, we are dedicated to ensuring the security of the broader technology ecosystem, with a particular focus on the automotive industry. As vehicles increasingly rely on interconnected systems, ensuring the security of both hardware and software technologies is critical to protecting end-users and their data. This policy outlines the process for the responsible and coordinated disclosure of vulnerabilities in third-party products or services. Our goal is to ensure vulnerabilities are reported and resolved in a timely manner to mitigate potential risks.

2. Process for Reporting Vulnerabilities

Step 1: Identification and Confirmation

When a vulnerability is identified, the following steps will be taken:

• The vulnerability will be documented in detail, including its nature, potential impact, and any evidence of exploitation (e.g., screenshots, logs, proof-of-concept code).
• A risk assessment will be conducted to evaluate the severity of the vulnerability based on its potential impact on confidentiality, integrity, and availability.

Step 2: Responsible Disclosure

PlaxidityX will follow these steps to disclose vulnerabilities responsibly:

1. Identify the Vendor or Vendor’s Security Team:
   PlaxidityX will determine the appropriate contact for the affected product or service, typically the vendor’s security or incident response team.
2. Initial Contact:
   PlaxidityX will contact the vendor with the following details:
   • A clear description of the vulnerability and its potential impact.
   • Technical details and steps to reproduce the issue.
   • A severity rating based on internal risk assessment.
   • A request for acknowledgement and a proposed timeline for resolution.
3. Collaboration Period:
   Once the vendor acknowledges the vulnerability, PlaxidityX will provide a reasonable timeframe (typically 30-90 days, depending on severity) to resolve the issue.
   • If the vendor requires more time due to the complexity of the fix, dependencies, or other valid reasons, PlaxidityX may agree to extend the disclosure timeline. This extension will be granted based on transparent communication and mutual agreement.
   • During this period, PlaxidityX may provide technical assistance if requested by the vendor.
   • During this period, PlaxidityX will request a CVE (Common Vulnerabilities and Exposures) ID.
4. No Resolution case:
   If the vendor does not resolve the issue or fails to provide an adequate response within the proposed timeframe:
   • PlaxidityX will notify stakeholders about the lack of resolution.
   • As Plaxidiytx is committed to raising awareness about cybersecurity risks, it is important to inform the community about this vulnerability. Therefore, a minimal public disclosure will be issued, which will include only a general description of the vulnerability and recommendations for mitigating the risk. Detailed technical information that could enable exploitation will be avoided.

Step 3: Vendor’s Fix and Public Disclosure

Once the vendor releases a fix or mitigation:

1. PlaxidityX will verify that the fix addresses the issue effectively.
2. After confirming the resolution, PlaxidityX will publicly disclose the vulnerability, including details of the fix.
3. The disclosure will include all relevant information to raise awareness while enabling others to protect their systems.

3. Timeframe for Disclosure

• Initial Notification to Vendor: Vendors will be notified after confirming a vulnerability.
• Vendor Response Period: Vendors are typically given 30-90 days to resolve the vulnerability, depending on its severity.
• Extensions: If the vendor requires more time to implement a complete fix, PlaxidityX will grant extensions based on transparent communication and evidence of progress.
• Public Disclosure:
  • If a fix is confirmed within the agreed timeframe (including extensions), the vulnerability will be publicly disclosed along with the CVE ID.
  • If no resolution occurs, only general information and mitigation strategies will be shared to avoid enabling exploitation.

4. Confidentiality and Non-Disclosure

PlaxidityX will maintain confidentiality regarding vulnerabilities until proper disclosure has occurred. Public disclosure will only take place after the vendor has had sufficient time to address the issue, unless circumstances dictate otherwise.

5. Legal and Ethical Disclosure

PlaxidityX complies with all applicable laws, including without limitation all cybersecurity and data protection regulations. In performance under this policy, it is essential to always adhere to ethical research practices and not to engage in any unauthorized testing or unscrupulous conduct. Financial extortion or demands for compensation of any type in exchange for vulnerability disclosures is strictly prohibited.

6. Conclusion

PlaxidityX’s Coordinated Vulnerability Disclosure Policy ensures responsible and ethical handling of vulnerabilities, balancing the need for transparency with the importance of security. With a strong focus on the automotive industry, we are committed to working with vendors and stakeholders to secure interconnected systems, protect end-users, and enhance overall safety in the automotive ecosystem.