Lancs Network Technology Joint Stock Company (abbreviated as Lancs Net., JSC) announces its policy for receiving reports of vulnerabilities and weaknesses in this software product to improve product/service quality and enhance user experience by listening to the opinions and feedback of its customers.
We are committed to protecting the personal information of our customers and will make every effort and use appropriate measures to ensure that the information provided by customers during the use of our products/services is processed quickly and efficiently in accordance with the law.
ARTICLE 1. PURPOSE AND SCOPE
-
Purpose
- To create a specific and structured process for users or groups of users to report security vulnerabilities they discover in Lancs Net., JSC’s systems, applications, or services.
- To create a secure and reliable communication channel for users or security research teams to report vulnerabilities they discover. Instead of trying to exploit the vulnerability to cause harm, customers/users can notify Lancs Net., JSC so that it can be fixed and protected before the vulnerability is exploited by attackers.
-
Scope
Applies to all systems, applications, and services managed or owned by LANCS NETWORK TECHNOLOGY JOINT STOCK COMPANY (LANCS NET., JSC).
-
Definition and Classification
Definition
A vulnerability is a weakness or deficiency in a system, software, or network device that can be exploited by attackers (hackers, malware) to harm the system, compromise personal data, or disrupt system operation. Vulnerabilities can arise from programming errors, misconfigurations, or human-related factors.
Severity Level
- Critical vulnerabilities: These are vulnerabilities that can cause significant financial losses, data loss, or business disruption. These vulnerabilities can be exploited remotely without user interaction.
- Medium vulnerabilities: These have the potential to cause significant impact but are not direct or easily exploitable. Certain conditions are required for these vulnerabilities to be triggered.
- Low vulnerabilities: These have little impact on the system or require complex conditions for exploitation. These vulnerabilities may cause difficulties but do not seriously affect overall security.
Potential Impacts
- Impact on data security: The vulnerability could cause the loss or leakage of sensitive data, including personal information, financial data, or confidential organizational data.
- Impact on system integrity: The vulnerability could be exploited to alter data or install malware, thereby harming the system.
- Impact on system availability: The vulnerabilities disrupt services, cause downtime, or reduce system performance.
- Impact on corporate reputation: The vulnerability could damage the organization’s reputation if exploited or publicly disclosed.
ARTICLE 2. REPORTING PROCEDURE
Reporting Channels
Customers/Users can report vulnerabilities via the contact email of Lancs Net., JSC/ or other communication mechanisms such as: calling the Hotline or via Zalo OA chat with the Hotline: 0868.275.959.
Customers can also send complaints via email to info@lancsnet.com.
Required Information
Customers must provide the following information when submitting a vulnerability report:
-
Detailed description of the vulnerability: A specific description of the vulnerability, including technical and functional details of the vulnerability.
-
Exploitation method: A description of how the vulnerability can be exploited, including specific steps or malware that may be used.
-
Potential impact (if applicable): An assessment of the potential impact of the vulnerability, including security consequences and the potential impact on the operations of Lancs Net., JSC
Information Security
Information about vulnerabilities is sent and processed securely and confidentially, ensuring that this information is only disclosed to those necessary to fix the vulnerability.
Confirmation and Response
Lancs Net., JSC has a process for confirming and responding to the reporter after the customer submits a report, including providing a record or tracking number so the reporter can track the progress of their customer report.
ARTICLE 3. COMMITMENTS OF LANCS NET., JSC
Commitment to confirming receipt of reports within 2 business days
Lancs Net., JSC will review and confirm vulnerability reports from the reporter within 48 hours of submission.
Commitment not to take legal action against vulnerability reporters if they comply with the vulnerability and weakness reporting policy
Vulnerability reporters will not be held legally liable or face legal action if they comply with Lancs Net., JSC’s policy. This helps create a safe and supportive environment for vulnerability reporters, encouraging them to share information about vulnerabilities openly and honestly.
ARTICLE 4. REPORT HANDLING PROCEDURE
Verification
Lancs Net., JSC will verify the accuracy of the reported information, including checking whether the reported vulnerability actually exists and can be exploited.
Assessment
The vulnerability will be assessed to determine its severity and impact on the system, application, or service. This assessment may include determining the vulnerability’s exploitability, potential impact on data or the system, and the priority of remediation.
Remediation
llowing the assessment, Lancs Net., JSC will take measures to remediate the vulnerability. This may include developing and deploying patches, reconfiguring the system, or implementing supplementary security measures.
Estimated time to resolve
Lancs Net., JSC typically provides an estimated time to resolve vulnerabilities for the reporter. This timeframe may depend on the severity of the vulnerability and the resources available to implement remediation measures.
ARTICLE 5. FEEDBACK AND COMMUNICATION
Feedback on Vulnerability Status and Results
Lancs Net., JSC provides feedback to the reporter on the status and results of the vulnerability remediation process they report. This includes notifying the reporter when the vulnerability has been confirmed, the progress of the remediation process, and information on the patch or security measures that have been implemented.
Communication Channel for Further Information Exchange
The reporter has a communication channel for further information exchange if needed. This could be an email address or an online vulnerability tracking system that they can use to send further information, ask further questions, or receive updates on the vulnerability status.
ARTICLE 6. CONFIDENTIALITY AND PRIVACY
Commitment to protecting the personal information and report details of the whistleblower
Lancs Net., JSC is committed to protecting the personal information and report details of the whistleblower. This may include disclosing only the information necessary to address the vulnerability and keeping the rest confidential.
Ensuring the vulnerability remediation process is discreet and secure
Lancs Net., JSC also ensures that the vulnerability remediation process will be conducted discreetly and securely, without disclosing information about the vulnerability to any third party without authorized access.
ARTICLE 7. REWARD POLICY
Lancs Net., JSC has a reward policy for whistleblowers in accordance with the Company’s policy and depending on the specific circumstances of the case.
ARTICLE 8. POLICY PUBLICATION
Website Posting
-
The policy should be posted on the website of Lancs Net., JSC.
-
A link to send emails or a search button for reporting methods will be placed in an easily accessible location for users to quickly access the information.
Notification to Relevant Parties
-
Lancs Net., JSC will send notifications about the vulnerability/vulnerability reporting policy to partners, customers, and the security community.
-
Notifications should be sent via channels such as email, announcements on security forums, or through appropriate social media channels.
Content of Publication
-
Information in the publication should include the purpose and scope of the vulnerability/vulnerability reporting policy, how to submit reports, and Lancs Net., JSC’s commitment to information security and privacy.
-
A clear and understandable overview is needed regarding how Lancs Net., JSC handles vulnerability reports and how users can contact them.
ARTICLE 9. ESTABLISHING REPORTING CHANNELS
Dedicated Email
-
Lancs Net., JSC has a dedicated email address or inbox specifically for receiving vulnerability/weakness reports.
-
This email address is publicly available and easily accessible to the security community and users.
Online Vulnerability Tracking System
-
Lancs Retails and its parent company, Lancs Networks, have an online vulnerability tracking system that allows users to easily submit vulnerability reports and track their progress.
-
The channels for receiving information are simple and user-friendly, allowing them to conveniently submit detailed vulnerability information.
Continuous Monitoring
-
Ensure that reporting channels are continuously monitored, especially during business days.
-
The process for handling vulnerability reports quickly and efficiently includes verification, assessment, and remediation.
Information Updates
Provide reporters with updates on the vulnerability remediation process, including the report status and implemented remediation measures.
Reporting Feedback
Provide feedback to reporters after they submit vulnerability reports, including acknowledgment of receipt and information on the remediation progress.