SOTI Vulnerability Disclosure Policy

Introduction

At SOTI, we prioritize the security and privacy of our users. We are committed to maintaining the integrity of our systems and protecting sensitive information. This Vulnerability Disclosure Policy (VDP) outlines the process for reporting security vulnerabilities to SOTI. By submitting a report, you agree to comply with the terms and guidelines specified in this VDP.

Scope

This policy applies to any vulnerabilities discovered in SOTI ONE software, including web applications and device agents, services, or infrastructure. It covers all products and services provided by SOTI.

Vulnerabilities in systems from our third-party vendors are not in the scope of this policy and should be reported to the vendor according to its disclosure policy. If you are uncertain whether a system is in scope, contact us at security@soti.net before starting your research.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in our systems, we encourage you to report it to us responsibly. Please follow these steps:

1. 1.

   Contact Us:

   Email security@soti.net using our public PGP key at soti.net/.well-known/security.txt. Use the subject line “Vulnerability Disclosure”. Include a detailed description of the vulnerability, including the following information:

   • The type of vulnerability
   • The affected product, service or system
   • Steps to reproduce the vulnerability
   • Potential impact of the vulnerability
   • Any proof-of-concept code or screenshots
2. 2.

   Provide Contact Information:

   Include your contact information so we can reach you for further details or clarification if needed.

3. 3.

   Timely Notification:

   Once you have established that a vulnerability exists, or you encounter sensitive data (including PII, financial information, proprietary information or trade secrets of any party), you must stop your test and notify us immediately.

4. 4.

   Quality Reports:

   Do not submit a high volume of low-quality reports. Reports with no details or “beg bounties” will be ignored.

    

Our Commitment

When you report a vulnerability to us, we commit to:

1. Acknowledgment: Acknowledge receipt of your report within three business days.
2. Investigation: Investigate the reported vulnerability and provide an estimated timeline for resolution.
3. Communication: Keep you informed of the progress and status of the vulnerability resolution.

Coordinated Vulnerability Disclosure

SOTI has legal and contractual obligations in certain circumstances to coordinate vulnerability disclosure with regulatory bodies and our customers. Please do not publicly disclose the vulnerability until we have had a chance to investigate and address it. To the best of our ability, we will update you on the remediation status of the vulnerability you have reported. Any public disclosures should be coordinated with SOTI, unless allowed otherwise by applicable whistleblower protection laws.

Prohibited Security Research

We welcome responsible reporting of vulnerabilities; however, the conduct below is prohibited:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
• Social engineering (for example, phishing, vishing)
• Physical testing (for example, building access, tailgating)
• Testing in a manner that violates our software license agreements available at https://soti.net/about/legal/
• Other non-technical vulnerability testing

Safe Harbor

We will not take legal action against individuals who discover and report vulnerabilities to SOTI in accordance with this policy. We consider activities conducted consistent with this policy to be authorized conduct, and we will work with you to understand and resolve the issue quickly.

Changes to This Policy

We may update this policy from time to time. We will notify you of any changes by posting the new policy on our website.

Contact

If you have any questions about this policy, please contact us at security@soti.net