IRM360 Coordinated Vulnerability Disclosure (CVD) Policy

Introduction

At IRM360, we take the security of our systems very seriously. Despite our efforts to ensure the security of our systems, vulnerabilities may still arise. If you have identified a vulnerability in one of our systems, we would like to hear from you so that we can take action as quickly as possible. We would like to work with you to better protect our customers and our systems. To this end, IRM360 has drawn up a Coordinated Vulnerability Disclosure policy. The Coordinated Vulnerability Disclosure (CVD) ensures that vulnerabilities can be reported and resolved in a timely and secure manner, thereby minimising risks to users and our organisation.
This policy describes the process for the responsible reporting and handling of vulnerabilities in our products, services and systems

Scope

This CVD policy applies to the following products, services and systems:

  • CyberManager Software

The following are not included:

  • IRM360 does not process reports concerning third parties and software that are not directly related to our software, or reports regarding trivial vulnerabilities or security issues that cannot be exploited. These issues should also be resolved, but CVD reports refer to vulnerabilities that require immediate resolution.

Vulnerability reporting process

Vulnerabilities can be reported via the CVD reporting form

When submitting a report, please provide the following information:

  • Description of the vulnerability
  • Steps to reproduce the vulnerability
  • Impact assessment
  • Screenshots, logs or evidence, if available

We aim to send an acknowledgement of receipt within 48 hours.

 

Processing and communication

Once we have received a report, our security team will assess it and launch an investigation. The reporter will receive updates on the status of the investigation, usually within a week.

Our internal teams will work together to mitigate the vulnerability and roll out patches where necessary.

Coordination and disclosure

The disclosure of the vulnerability is coordinated with the reporter to ensure timely and responsible communication. We respect embargoes and aim for joint disclosure where possible.

Responsibilities and rules of conduct

We expect reporters to:

  • Not exploit or disclose the vulnerability before it has been resolved
  • Not steal, alter or destroy any data

Our organisation will:

  • Take the report seriously
  • Communicate in a timely manner
  • Respect the privacy of the person making the report

Disclaimer and legal matters

Whilst we value ethical hacking within the scope of the assessment, we do not accept liability for any damage resulting from negligent behaviour. We accept no liability for any damage arising during the assessment process, provided that actions are carried out within the scope and in accordance with ethical guidelines.

Deventer, August 2025

IRM360 BV

This policy has been developed based on the examples set by the National Cyber Security Centre and the Digital Trust Centre.