Vulnerability Disclosure Policy

1. Purpose

This policy aims to comply with the requirements of the Product Security and Telecommunications Infrastructure (UK PSTI) regulations by publicly outlining the company’s policy and process for security vulnerability disclosure for our products. The goal is to ensure transparency, traceability, and responsiveness.

 

2. Scope

This disclosure policy applies to all products manufactured by our company and sold in the UK, including related software, applications, and services.

 

3. Contact Information

If you discover a potential security vulnerability in our products, please contact our security team via:

Email: security@seedpace.com

 

4. Disclosure Guidelines

We recommend that security researchers and customers follow these procedures:

1.Reporting Vulnerabilities: Please provide as much detail as possible, including:

Affected product model and version

Steps to reproduce the vulnerability or Proof of Concept (PoC)

Potential impact (e.g., information disclosure, remote execution, etc.)

2.Avoid Public Disclosure: Please do not publicly disclose vulnerability details before the issue has been resolved.

3.Collaborative Remediation: We are committed to working with you to verify and resolve vulnerabilities, ensuring users receive timely security updates.

 

5. Company Commitments

1.We will acknowledge receipt of your vulnerability report and provide an initial assessment within 14 business days.

2.Within 120 business days of confirming the vulnerability, we will provide a remediation plan or a patch release timeline.

3.Upon resolution of the vulnerability, we will:

Publish a security advisory (including vulnerability description, impact scope, and remediation methods)

Acknowledge the reporter’s contribution.

 

6. Vulnerability Severity Rating

We will assess and classify vulnerabilities based on the CVSS (Common Vulnerability Scoring System) or equivalent standards, and undertake appropriate remediation measures:

High-risk vulnerabilities: Immediate emergency response and highest priority remediation

Medium-risk vulnerabilities: Included in upcoming security update cycles

Low-risk vulnerabilities: Addressed in regular update cycles

 

7. Information Disclosure and Announcements

1.After remediation, vulnerability information will be published on the company website’s “Security Advisories” page, including:

Vulnerability ID

Affected products/versions

Description and potential risks

Remediation measures or mitigation solutions

2.All advisories will be archived and available for user reference at any time.

 

8. Legal and Compliance

This policy complies with the UK PSTI regulations and relevant international standards (such as ISO/IEC 29147 and ISO/IEC 30111). We respect and appreciate responsible disclosures from security researchers and commit not to pursue legal action against individuals who act in good faith and adhere to this policy.