Coordinated Vulnerability Disclosure Policy

At Cogent Technology, we take security issues extremely seriously and welcome reports from security researchers, ethical hackers, and members of the public to help us protect our products, services, and users. This policy outlines how to responsibly disclose potential security vulnerabilities to us.

We operate a policy of coordinated vulnerability disclosure (CVD), and aim to handle all reports promptly, respectfully, and transparently.

🔍 Scope

This policy applies to all publicly accessible systems, applications, networks, and services owned or operated by Cogent Technology, unless explicitly excluded. If you’re unsure whether a system is in scope, please contact us to clarify before testing.

✉️ How to Report a Vulnerability

To privately report a suspected security issue, please email:
📧 security@cogent-technology.co.uk

Please include as much of the following as possible:

  • A detailed description of the vulnerability;
  • Steps to reproduce (including any proof of concept code or screenshots);
  • Any known or potential impact;
  • Optional: your contact details or PGP key if you wish to encrypt communications.

⏱️ Our Commitments to You

We commit to:

  • Acknowledge your report within 7 business days;
  • Triage and assess your report within 14 business days;
  • Provide you with regular updates throughout the investigation and remediation process;
  • Aim to resolve confirmed vulnerabilities within 90 days of triage;
  • Work with you to coordinate a public disclosure timeline, where appropriate;
  • Not take legal action against good-faith security research conducted in accordance with this policy;
  • Credit your responsible disclosure, if desired, on our Security Hall of Fame page.

🔐 Your Responsibilities

We ask that you:

  • Respect the privacy and integrity of our systems and users;
  • Avoid actions that could result in service disruption (e.g., DoS, data deletion, mass scanning);
  • Do not exploit the vulnerability beyond what is necessary to prove its existence;
  • Obfuscate or anonymize any user data you encounter and delete all data after reporting;
  • Refrain from disclosing vulnerability details publicly until we’ve addressed the issue or agreed on a coordinated disclosure plan.

🛡️ Legal & Ethical Considerations

We will not pursue legal action against individuals who:

  • Conduct research in good faith;
  • Follow the guidelines outlined in this policy;
  • Report vulnerabilities to us responsibly and cooperatively.

🔐 Data Protection and Confidentiality

Any personal or sensitive information submitted to us as part of a vulnerability report will be handled confidentially and in accordance with the UK GDPR and other applicable data protection laws. We do not share your data without your consent, and you may report anonymously if you prefer.

🧭 Continuous Improvement

We review this policy at least annually and revise it as needed to stay aligned with evolving best practices in coordinated vulnerability disclosure and cybersecurity standards.

🙌 Recognition

We truly value your help in making our systems more secure. If you’d like to be publicly acknowledged for your efforts, we’d be happy to credit you (e.g., name, alias, or social handle) on our [Security Hall of Fame] page.

Thank you for helping us build a safer digital environment.

Version 1.1 Sept 2025

Verified by MonsterInsights