MSys Vulnerability Disclosure Policy

MSys Technologies is a reliable partner for product engineering services and digital transformation projects for its ISV and Enterprise clientele. is committed to ensuring the safety and security of our customers. Toward this end, Msys is now formalizing our policy for accepting vulnerability reports in our solutions. We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers.

We have developed this policy to both reflect our corporate values and to uphold our responsibility to security researchers that are providing us with their expertise.

Vulnerability disclosure scope

MSys’s vulnerability disclosure program covers the following:

  • MSys public web site
  • MSys customer digital channels

We do not permit anyone to perform any activity that could potentially cause harm to MSys or to our customers. If vulnerabilities are discovered, it is not allowed to pivot into the internal network, access any confidential data or cause harm to vulnerable systems.

Out of scope:

  • Any vulnerability obtained through the compromise of a MSys customer or employee account
  • Customer assets not supplied by MSys
  • Attacks against the integrity of MSys customers
  • Vulnerabilities discoverable through automated scans which have not been verified manually

Legal posture

We openly accept vulnerability reports for stated scope of the vulnerability disclosure policy. We agree not to pursue legal action against individuals who:

  • Engage in good faith testing of systems/research without harming MSys or its customers
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program
  • Test on solutions without affecting customers
  • Refrain from disclosing vulnerability details to the public before it is fixed or a mutually agreed upon timeframe expires

This policy does not provide consent to any unauthorised penetration of MSys or customer systems, or breach of applicable laws or contractual obligations.

Preference, prioritisation, and acceptance criteria

We will use the following criteria to prioritise and triage submissions:

  • Well-written reports in English will have a higher chance of resolution
  • Reports that include proof-of-concept code help us to evaluate the situation
  • Reports that include only crash dumps or other automated tool output may receive lower priority
  • Reports that include solutions not on the scope list may receive lower priority
  • Please include how you found the bug, the impact, and any potential remediation
  • Please include any plans or intentions for public disclosure

Researchers must not:

  • Send unsolicited electronic mail to MSys users, including “phishing” messages
  • Engage in physical testing of facilities or resources
  • Engage in social engineering
  • Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks, against MSys or our suppliers
  • Introduce malicious software
  • Test in a manner which could degrade the operation of MSys systems; or intentionally impair, disrupt, or disable MSys systems
  • Test third-party applications, websites, or services that integrate with or link to or from MSys systems
  • Delete, alter, share, retain, or destroy MSys data, or render MSys data inaccessible, or
  • Use an exploit to exfiltrate data, establish command line access or to establish a persistent presence on MSys systems.

Clarity of program

  • MSys recognises the value and contribution of the security community to our company purpose: Enabling sustainable societies with smart technology. To this end we warmly welcome the opportunity to collaborate with community members in creating a more secure world.
  • This program does not provide monetary rewards.

What you can expect from us:

  • A timely response to your email
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it
  • An open dialog to discuss issues
  • Notification when the vulnerability analysis has completed each stage of our review

If we are unable to resolve communication issues or other problems, MSys may bring in a neutral third party to assist in determining how best to handle the vulnerability.

How to Submit a Vulnerability

To submit a vulnerability report to MSys Security Team, please utilize the following email address [email protected]

Note: By submitting your report, you agree to the terms of this Vulnerability Disclosure Policy.