As a cybersecurity vendor, the security of our customers and partners is our primary priority. That’s why we design and develop solutions of the highest possible quality and reliability. Despite all our efforts to implement the best possible security measures, it is possible for vulnerabilities to appear in our solutions or for us to be affected by a security incident ourselves.
Everyone is therefore encouraged to report any vulnerability identified in one of our solutions. Researchers, partners, customers and any other interested parties are welcome to report vulnerabilities or security incidents.
Reporting a vulnerability or security incident
To contact our team responsible for the security of our solutions and our company, you can write to security@harfanglab.fr.
If you have identified a potential security vulnerability with one of our solutions, please send us the following information:
- Time and date of discovery
- Version of the solution
- All the data needed to reproduce the vulnerability;
- Technical description of the vulnerability: give as many technical details as possible about the conditions under which it occurred and the impact identified;
- Solution configuration – details of the configuration of the solution and the underlying devices on which it was identified;
- Code used to exploit the vulnerability if possible;
- Tenderer’s contact details so that we can reach you.
These elements should be transmitted in English or French and should not include any personal data, apart from the information needed to contact you.
Sharing a potential vulnerability does not give you any intellectual property rights belonging to HarfangLab or to a third party.
Our commitment to handling security reports
After receiving your vulnerability or incident report, our team will contact you to follow up your report. For reasons of confidentiality and security, we encourage you to encrypt any sensitive information you send us by email. To do this, you can use our public PGP key.
We will endeavour to acknowledge receipt of all reports submitted within seven days and will then engage in an open dialogue to discuss the issues identified and to inform you of the outcome of your report.
We are free to decide whether or not to accept a report as relevant. For example, we will not consider vulnerabilities in third-party components, vulnerabilities in obsolete versions of our solutions or automated scans whose exploitability has not been verified manually.
Our requirements for identified vulnerabilities and security incidents
We formally exclude all identified vulnerabilities from the scope of reporting:
- By performing social engineering, spamming or phishing on HarfangLab employees, customers or third parties;
- By testing the physical security of HarfangLab assets or those of third parties;
- Carrying out denial of service attacks;
- Directly or indirectly harming HarfangLab, its employees, customers or third parties.
We thank you for your contribution to strengthening the security of our solutions and for working to secure our digital space as a whole by disclosing identified vulnerabilities in a responsible manner.