Safety & security
Percall Group values security research
Safety & security are incredibly important to PERCALL GROUP and to the ecosystems we serve. As we see greater convergence of physical and digital systems, we all carry a shared responsibility to develop and maintain more secure, defensible, and resilient systems. PERCALL GROUP is committed to doing our part through robust security programs and initiatives. As an extension to our own efforts, PERCALL GROUP wishes to team with willing allies acting in good faith. As such, PERCALL GROUP welcomes the invaluable contributions offered by security researchers. To ensure a smooth and streamlined process, we have our Coordinated Vulnerability Disclosure Program.
Legal Posture
PERCALL GROUP will not pursue legal action for those acting in good faith and in adherence to the coordination instructions and guidelines described in this policy, including compliance with all applicable laws.
Communicating with Percall Group
To ensure proper handling of the disclosure in both directions, please adhere to the following instructions:
- Please contact us without any technical details in English to support@solings.com.
- Do not include sensitive information (other than information related to the vulnerability details) in any screenshots or other documents or content you provide to us.
- Once we have received your message, an appropriate PERCALL GROUP employee will acknowledge receipt within seven (7) calendar days.
What we expect of you
We are willing to work with security researchers who comply with the following guidelines:
- Avoid any testing (or hacking) on active environments (use test or development environments to perform vulnerability testing)
- Comply with all applicable laws and regulations
- Do not access or modify any data in any account or system for which you do not have legal control
- Do not take advantage of the vulnerability or any issue you have discovered; do not take any disproportionate or illegal actions
- We ask you to work with PERCALL GROUP on selecting public release dates for information on discovered vulnerabilities to minimize the possibility of public safety, privacy and security risks
- Inform us of your disclosure plans, if any, prior to public disclosure
- Involve DHS-ICS-CERT, CERT/CC, relevant Regulators, or other appropriate government entities when prudent
- Provide us with details of any communication on the vulnerability (and CVE) to vulnerability coordinators
- Preference: Well-written reports in English will have a higher chance of prompt resolution
- Preference: Reports that include proof-of-concept code equip us to better triage
What you can expect from Percall Group
Once we have received a submission, PERCALL GROUP will:
- Acknowledge receipt within seven (7) calendar days.
- Perform an initial assessment on the potential findings to determine accuracy, need for escalation and product group to escalate to. In this phase, you may:
- Receive requests for additional information, or
- Receive notification that the vulnerability is not accepted into the program because it does not meet the criteria of the program or provide sufficient detail. (You may respond to any notifications of non-acceptance by contacting cvd@Percall Group.com)
- Develop a resolution and take appropriate action depending on the criticality scoring of the vulnerability.
- Provide the researcher with public recognition if requested and if the report results in a publicly released fix or communication.
- Where necessary or if we are unable to resolve communication issues or other problems, PERCALL GROUP may bring in a neutral third party (such as CERT/CC, DHS-ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.
