IRM360 Coordinated Vulnerability Disclosure (CVD) Policy

Introduction

At IRM360, we take the security of our systems very seriously. Despite our efforts to ensure the security of our systems, vulnerabilities may still occur. If you have discovered a vulnerability in one of our systems, we would appreciate hearing from you so that we can take action as quickly as possible. We would like to work with you to better protect our customers and our systems. To this end, IRM360 has established a Coordinated Vulnerability Disclosure policy. The Coordinated Vulnerability Disclosure (CVD) ensures that vulnerabilities can be reported and resolved in a timely and secure manner, thereby minimizing risks to users and our organization.
This policy describes the process for responsibly reporting and addressing vulnerabilities in our products, services, and systems

Scope

This CVD policy applies to the following products, services, and systems:

  • CyberManager Software

The following are not included:

  • IRM360 does not process reports regarding third parties and software that are not directly related to our software, or reports concerning trivial vulnerabilities or security issues that cannot be exploited. While these issues should also be resolved, CVD reports specifically concern vulnerabilities that require immediate resolution.

Vulnerability Reporting Process

Vulnerabilities can be reported using the CVD reporting form

When submitting a report, please provide the following information:

  • Description of the vulnerability
  • Steps to reproduce the vulnerability
  • Impact assessment
  • Screenshots, logs, or evidence, if available

We aim to send a confirmation of receipt within 48 hours.

Processing and communication

Upon receiving a report, our security team will review it and launch an investigation. The reporter will receive updates on the status of the investigation, typically within a week.

Our internal teams will work together to mitigate the vulnerability and roll out patches as needed.

 

Coordination and Disclosure

The disclosure of the vulnerability is coordinated with the reporter to ensure timely and responsible communication. We respect embargoes and strive for joint disclosure whenever possible.

Responsibilities and Code of Conduct

We expect reporters to:

  • Not exploit or disclose the vulnerability before it has been resolved
  • Not steal, alter, or destroy any data

Our organization will:

  • Take the report seriously
  • Communicate in a timely manner
  • Respect the reporter’s privacy

Disclaimer and Legal Information

While we value ethical hacking within the scope of our services, we do not accept liability for any damage resulting from negligent behavior. We assume no liability for any damage that may occur during the testing process, provided that actions are taken within the scope and in accordance with ethical guidelines.

Deventer, August 2025

IRM360 BV

This policy was developed based on the models of the National Cyber Security Center and the Digital Trust Center.