PlaxidityX Coordinated Vulnerability Disclosure Policy

1. Introduction

At PlaxidityX, we are dedicated to ensuring the security of the broader technology ecosystem, with a particular focus on the automotive industry. As vehicles increasingly rely on interconnected systems, ensuring the security of both hardware and software technologies is critical to protecting end-users and their data. This policy outlines the process for the responsible and coordinated disclosure of vulnerabilities in third-party products or services. Our goal is to ensure vulnerabilities are reported and resolved in a timely manner to mitigate potential risks.

2. Process for Reporting Vulnerabilities

Step 1: Identification and Confirmation

When a vulnerability is identified, the following steps will be taken:

  • The vulnerability will be documented in detail, including its nature, potential impact, and any evidence of exploitation (e.g., screenshots, logs, proof-of-concept code).
  • A risk assessment will be conducted to evaluate the severity of the vulnerability based on its potential impact on confidentiality, integrity, and availability.

Step 2: Responsible Disclosure

PlaxidityX will follow these steps to disclose vulnerabilities responsibly:

  1. Identify the Vendor or Vendor’s Security Team:
    PlaxidityX will determine the appropriate contact for the affected product or service, typically the vendor’s security or incident response team.
  2. Initial Contact:
    PlaxidityX will contact the vendor with the following details:

    • A clear description of the vulnerability and its potential impact.
    • Technical details and steps to reproduce the issue.
    • A severity rating based on internal risk assessment.
    • A request for acknowledgement and a proposed timeline for resolution.
  3. Collaboration Period:
    Once the vendor acknowledges the vulnerability, PlaxidityX will provide a reasonable timeframe (typically 30-90 days, depending on severity) to resolve the issue.

    • If the vendor requires more time due to the complexity of the fix, dependencies, or other valid reasons, PlaxidityX may agree to extend the disclosure timeline. This extension will be granted based on transparent communication and mutual agreement.
    • During this period, PlaxidityX may provide technical assistance if requested by the vendor.
    • During this period, PlaxidityX will request a CVE (Common Vulnerabilities and Exposures) ID.
  4. No Resolution case:
    If the vendor does not resolve the issue or fails to provide an adequate response within the proposed timeframe:

    • PlaxidityX will notify stakeholders about the lack of resolution.
    • As Plaxidiytx is committed to raising awareness about cybersecurity risks, it is important to inform the community about this vulnerability. Therefore, a minimal public disclosure will be issued, which will include only a general description of the vulnerability and recommendations for mitigating the risk. Detailed technical information that could enable exploitation will be avoided.

Step 3: Vendor’s Fix and Public Disclosure

Once the vendor releases a fix or mitigation:

  1. PlaxidityX will verify that the fix addresses the issue effectively.
  2. After confirming the resolution, PlaxidityX will publicly disclose the vulnerability, including details of the fix.
  3. The disclosure will include all relevant information to raise awareness while enabling others to protect their systems.

3. Timeframe for Disclosure

  • Initial Notification to Vendor: Vendors will be notified after confirming a vulnerability.
  • Vendor Response Period: Vendors are typically given 30-90 days to resolve the vulnerability, depending on its severity.
  • Extensions: If the vendor requires more time to implement a complete fix, PlaxidityX will grant extensions based on transparent communication and evidence of progress.
  • Public Disclosure:
    • If a fix is confirmed within the agreed timeframe (including extensions), the vulnerability will be publicly disclosed along with the CVE ID.
    • If no resolution occurs, only general information and mitigation strategies will be shared to avoid enabling exploitation.

4. Confidentiality and Non-Disclosure

PlaxidityX will maintain confidentiality regarding vulnerabilities until proper disclosure has occurred. Public disclosure will only take place after the vendor has had sufficient time to address the issue, unless circumstances dictate otherwise.

5. Legal and Ethical Disclosure

PlaxidityX complies with all applicable laws, including without limitation all cybersecurity and data protection regulations. In performance under this policy, it is essential to always adhere to ethical research practices and not to engage in any unauthorized testing or unscrupulous conduct. Financial extortion or demands for compensation of any type in exchange for vulnerability disclosures is strictly prohibited.

6. Conclusion

PlaxidityX’s Coordinated Vulnerability Disclosure Policy ensures responsible and ethical handling of vulnerabilities, balancing the need for transparency with the importance of security. With a strong focus on the automotive industry, we are committed to working with vendors and stakeholders to secure interconnected systems, protect end-users, and enhance overall safety in the automotive ecosystem.

Ready to See Plaxidityx in Action?

“We see cybersecurity as a differentiator of our market offering and believe our partnership with PlaxidityX complements our “Digital Shield” cybersecurity service offering, helping us to achieve our goal of becoming a leader in secure software and electronics.”

Oliver Huppenbauer
Global Cybersecurity Manager at Marquardt

“The partnership with PlaxidityX enables our OEM and Tier 1 customers to benefit from our new, high-performance Ajunic®️ platform without the security worries. By leveraging PlaxidityX’s automotive cyber security expertise and innovative IDPS product line, we will be able to deliver market-leading in-vehicle protection capabilities as an integral part of our software development stack.”

Georg Schwab
Managing Director of AVL Software and Functions

“We chose PlaxidityX based on its proven experience, knowledge, methodology, and expertise..PlaxidityX’s ability to complete and submit in an extremely short time with top quality results, was critical for meeting our business goals”

Emrah Duman
Ford Trucks Leader

“PlaxidityXs’ comprehensive suite of cyber security solutions and its outstanding array of strategic technological partnerships have contributed to the company’s leadership position”

Dorothy Amy
Industry Analyst, Business Strategy & Innovation, Mobility
Frost & Sullivan

“The partnership with PlaxidityX enables our customers to perform cybersecurity testing on our established test platforms ..We are excited to partner with a strong and experienced cybersecurity service provider such as PlaxidityX”

Dr. Herbert Schütte
Executive Vice President Real-Time Test & Development Solutions
dSPACE

“By combining PlaxidityX’s expertise in securing connected vehicles with Microsoft’s Azure AI capabilities, we have a unique opportunity to accelerate ‘shift left’ security innovations across the entire automotive sector..”

Dominik Wee
Corporate Vice President for Manufacturing and Mobility
Microsoft

“PlaxidityX is a key pillar of Continental’s SDV strategy, enabling Continental to implement a security-by-design approach. As automotive cyber security moves to the cloud, PlaxidityX’ cutting-edge technologies and proven VSOC capabilities position us advantageously to meet our customers’ future needs”

Gilles Mabire
Chief Technology Officer
Continental