Introduction
At CytoTronics, we are committed to maintaining the security and privacy of our products, services, and the data we manage, including, and most importantly, our customers’ data. Security researchers and members of the public play an important role in identifying vulnerabilities that may not have been discovered during our development process. This Vulnerability Disclosure Policy is designed to provide clear guidelines on how to report potential security vulnerabilities responsibly.
Scope
This policy applies to security vulnerabilities in the following areas:
- The cytotronics.com web site, including backend and frontend components
- The cytotronics.io web application, including backend and frontend components
- Our cloud-connected imaging devices and their associated software
- Infrastructure and network configurations under our direct control
This policy does not cover:
- Issues related to third-party services or applications we use but do not manage
- Non-security related bugs or feature requests
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue in a timely fashion.
Guidelines
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Test methods
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
How to report a vulnerability
If you discover a potential security vulnerability, please email us at infosec@cytotronics.com with the following details:
- A detailed description of the vulnerability.
- Steps to reproduce the issue, including any proof-of-concept (PoC) code if applicable.
- Information about the environment, such as device type, operating system, browser version, or API version.
- Your contact information (name and email) so we can follow up if needed. This is optional, but encouraged.
Please avoid using public communication channels to report vulnerabilities.
Our commitment
When you share your findings with us in accordance with this policy, we commit to:
- Acknowledging your report within 5 business days.
- Providing updates on our investigation and resolution progress.
- Addressing valid vulnerabilities promptly and transparently
Policy Version 1.0 | Effective 2024-11-21