Aziro (formerly MSys Technologies) Vulnerability Disclosure Policy

Aziro (formerly MSys Technologies) is a reliable partner for product engineering services and digital transformation projects for its ISV and Enterprise clientele is committed to ensuring the safety and security of our customers. Toward this end, Aziro is now formalizing our policy for accepting vulnerability reports in our solutions. We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers.

We have developed this policy to both reflect our corporate values and to uphold our responsibility to security researchers that are providing us with their expertise.

Vulnerability disclosure scope

Aziro's vulnerability disclosure program covers the following:

  • Aziro (formerly MSys Technologies) public web site
  • Aziro (formerly MSys Technologies) customer digital channels

We do not permit anyone to perform any activity that could potentially cause harm to Aziro (formerly MSys Technologies) or to our customers. If vulnerabilities are discovered, it is not allowed to pivot into the internal network, access any confidential data or cause harm to vulnerable systems.

Out of scope:

  • Any vulnerability obtained through the compromise of a Aziro (formerly MSys Technologies) customer or employee account
  • Customer assets not supplied by Aziro (formerly MSys Technologies)
  • Attacks against the integrity of Aziro (formerly MSys Technologies) customers
  • Vulnerabilities discoverable through automated scans which have not been verified manually

Legal posture

We openly accept vulnerability reports for stated scope of the vulnerability disclosure policy. We agree not to pursue legal action against individuals who:

  • Engage in good faith testing of systems/research without harming Aziro (formerly MSys Technologies) or its customers
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program
  • Test on solutions without affecting customers
  • Refrain from disclosing vulnerability details to the public before it is fixed or a mutually agreed upon timeframe expires

This policy does not provide consent to any unauthorised penetration of Aziro (formerly MSys Technologies) or customer systems, or breach of applicable laws or contractual obligations.

Preference, prioritisation, and acceptance criteria

We will use the following criteria to prioritise and triage submissions:

  • Well-written reports in English will have a higher chance of resolution
  • Reports that include proof-of-concept code help us to evaluate the situation
  • Reports that include only crash dumps or other automated tool output may receive lower priority
  • Reports that include solutions not on the scope list may receive lower priority
  • Please include how you found the bug, the impact, and any potential remediation
  • Please include any plans or intentions for public disclosure

Researchers must not:

  • Send unsolicited electronic mail to Aziro (formerly MSys Technologies) users, including "phishing" messages
  • Engage in physical testing of facilities or resources
  • Engage in social engineering
  • Execute or attempt to execute "Denial of Service" or "Resource Exhaustion" attacks, against Aziro (formerly MSys Technologies) or our suppliers
  • Introduce malicious software
  • Test in a manner which could degrade the operation of Aziro (formerly MSys Technologies) systems; or intentionally impair, disrupt, or disable Aziro (formerly MSys Technologies) systems
  • Test third-party applications, websites, or services that integrate with or link to or from Aziro (formerly MSys Technologies) systems
  • Delete, alter, share, retain, or destroy Aziro (formerly MSys Technologies) data, or render Aziro (formerly MSys Technologies) data inaccessible, or
  • Use an exploit to exfiltrate data, establish command line access or to establish a persistent presence on Aziro (formerly MSys Technologies) systems.

Clarity of program

  • Aziro (formerly MSys Technologies) recognises the value and contribution of the security community to our company purpose: Enabling sustainable societies with smart technology. To this end we warmly welcome the opportunity to collaborate with community members in creating a more secure world.
  • This program does not provide monetary rewards.

What you can expect from us:

  • A timely response to your email
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it
  • An open dialog to discuss issues
  • Notification when the vulnerability analysis has completed each stage of our review

If we are unable to resolve communication issues or other problems, Aziro (formerly MSys Technologies) may bring in a neutral third party to assist in determining how best to handle the vulnerability.

How to Submit a Vulnerability

To submit a vulnerability report to Aziro (formerly MSys Technologies) Security Team, please utilize the following email address security@aziro.com

Note: By submitting your report, you agree to the terms of this Vulnerability Disclosure Policy.