Purpose

Performetriks LLC (“Performetriks”), a global software and services provider, is committed to the safety and security of its customers, employees, and partners. We believe that the security community and security researchers play a vital role in protecting all users from harm and appreciate their contributions to the greater good. Reporting security vulnerabilities will help us improve the security and privacy of our customers and users. Please follow the process below to report suspected vulnerabilities, allowing us to assess and resolve any issues found in Performetriks products and services. If a vulnerability is validated, we may assign a CVE to the problem.
 

Reporting Security Issues

If you believe you have discovered a vulnerability in a Performetriks product or have a security incident to report, please use this form.

​

When reporting:

​

• Describe the vulnerability, including the affected product, version, and operating system or environment.

• Include the steps required to reproduce the vulnerability (Proof-of-Concept scripts, screenshots, and other evidence showing the exploit).

• Provide information about the potential impact of the vulnerability and potential remediation, if possible.

• Please provide your contact information so we can follow up with you.

• Please do not include: any personally identifiable information of any person other than yourself, or any information protected by data privacy laws.

 

Please let us know if and how you would like to be credited in public advisories (by name, company, organization, etc.).

Performetriks does not provide financial awards for identifying issues or participating in public bug bounty programs.

​

When we have received a report, Performetriks will:

​

1. Investigate and verify the vulnerability. Addresses the vulnerability. This may include an upgrade or patch, remediation steps, or configuration changes as appropriate. If a fix cannot be made quickly, Performetriks will try to provide mitigation instructions or take action to protect customers as appropriate.

2. Publicly announce the vulnerability in the release notes of the update. Performetriks may also issue additional public announcements, for example, via social media, our blog, and the media.

3. Refer to the reporter who submitted the vulnerability, unless they prefer to remain anonymous.​

​

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, enabling us to improve our products and services and better protect our customers.

Thank you for working with us through the above process.
 

Coordinated Vulnerability Disclosure (CVD) Policy

By standard industry practices regarding Coordinated Vulnerability Disclosure (CVD), Performetriks typically prepares and publishes advisories detailing newly discovered vulnerabilities approximately 60 days after our initial attempts at private disclosure. All Performetriks advisories will be published via the Performetriks Security and Trust Centre; however, additional announcements may be made through blog posts, social media, and media engagement.

Please note that technical vulnerabilities often involve undefined behavior and unexpected interactions. Therefore, Performetriks may modify the timeline for disclosure at our sole discretion. Additionally, Performetriks has committed to our customers and reserves the right to notify our customers immediately after identifying a threat to their environment.
 

All Vulnerabilities (The Default Policy)

1. Performetriks will confidentially disclose discovered vulnerabilities to the Software or Service Vendor that is in the best position to address that vulnerability with a resolution. That organization is the "vendor".

   • If the vendor is not a CVE Partner, Performetriks will reserve a CVE ID.

2. After 15 days, if the vendor has not acknowledged our initial disclosure by this time, Performetriks will presume they are a "non-responsive vendor."

3. After 60 days of confidential disclosure to the vendor, Performetriks will publicly disclose vulnerability information, including CVE descriptions, opinions on risk, impact, and mitigation strategies, and, in some cases, enough technical detail to demonstrate the issue (collectively, "vulnerability details").

   • During this 60-day window, Performetriks expects the vendor to develop a resolution and make any updates available for affected parties.

4. If the vendor demonstrates a consistent good-faith effort to develop and ship an update but cannot complete this work within 60 days, an extension may be granted. If Performetriks becomes aware that an update has been made generally available, the vulnerability details may be published earlier than initially scheduled.
    

Exploited In the Wild

This is the case where we see active exploitation in a production environment, including our own. The goal in these situations is to release critical risk information as quickly as possible so organizations may take informed action to protect themselves.

​

This policy is identical to the default policy, but for these changes:

​

1. Performetriks will aim to notify the vendor and publish public vulnerability information approximately 72 hours after discovery, regardless of whether an update is available.

2. If the vulnerability was found within an organization’s environment, Performetriks will strive to notify directly affected organizations of the disclosure first.

3. Performetriks will notify all impacted customers immediately upon discovering that they are affected by the threat.
    

Cloud/Hosted Vulnerabilities

This is the case where end users or implementers have nothing to fix on their end — fixing the issue requires only one vendor to act.

​

This policy is identical to the default policy, but for these changes:

​

1. Performetriks will not reserve a CVE ID.

2. If the issue is resolved inside the 60-day coordination window, Performetriks will assess the value of a public disclosure. If the issue remains unresolved after the coordination window closes, a public disclosure may be issued in accordance with the default policy.
    

Low-Impact Vulnerabilities

These vulnerabilities are trivial enough that an exploit would cause safely ignorable consequences in affected production environments, or be limited to a single production instance, such as one website not connected to critical infrastructure, or exist only in theoretical or improbable configurations of affected systems.

​

This policy is identical to the default policy, but for these changes:

​

1. Performetriks may not publish vulnerability details at any point. Still, they may do so if circumstances change (for example, if it's shown that this low-impact vulnerability can be chained with another to achieve a high-impact result).