Engineering and Wireless Infrastructure Constructors
Engineering and Wireless Infrastructure Constructors
Check Us Out On:
Vunerability Disclosure Policy
(Rev 1_2025.01.01)
​​​​
Vulnerability Disclosure Policy
1. Introduction
• At Concordia, the security of our systems and the protection of our customer data is our highest priority. We value the role that independent security researchers play in the ecosystem. We encourage responsible reporting of any vulnerabilities that may be found on our sites or applications. This policy outlines our definition of good-faith security research, what systems are in scope, how to report a vulnerability, and what you can expect from us.
2. Safe Harbor
• Concordia will not initiate civil or criminal legal action against researchers for any activities conducted in a manner consistent with this policy. We consider security research and vulnerability disclosure activities conducted under this policy to be "authorized" conduct under the Computer Fraud and Abuse Act.
• To qualify for safe harbor, you must:
- Comply with all guidelines in this policy.
- Avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Not access or modify data that does not belong to you.
- Provide us with a reasonable amount of time to resolve the issue before any public disclosure.
• If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report to help@concordiawireless.com before going any further.
3. Scope
• This policy applies to:
- All Concordia-owned domains, systems, applications, and services, unless specifically excluded.
- Security vulnerabilities discovered in production environments or public-facing services.
​
*This policy does not authorize testing against third-party systems or services not owned by Concordia.*
​
• Out-of-Scope: Any service not explicitly listed above is out of scope. Additionally, the following activities are strictly prohibited:
- Attacks against our corporate IT infrastructure or physical facilities.
- Denial of Service (DoS or DDoS) attacks.
- Social engineering (including phishing) of Concordia employees, contractors, or customers.
- Any activity that could lead to the disruption of our service.
- Spamming or use of automated vulnerability scanning tools that are disruptive.
4. How to Report a Vulnerability:
• If you believe you have discovered a vulnerability, please share the details with us by sending an encrypted email to our IT department at help@concordiawireless.com.
• Please include the following information in your report:
- A clear description of the vulnerability, including the affected URL or component.
- Detailed steps to reproduce the vulnerability, including any proof-of-concept scripts, screenshots, or screen captures.
- Your assessment of the potential impact of the vulnerability.
- Your name and contact information.
5. Our Commitment (The Process):
• After you submit a report, Concordia commits to the following:
- We will acknowledge receipt of your report within 2 business days.
- We will provide an initial assessment of the vulnerability within 5 business days.
- We will keep you informed of our progress as we work to remediate the issue.
- We will notify you when the vulnerability has been resolved.
6. Recognition:
• We believe in recognizing the efforts of researchers who help keep our community safe. While we do not currently offer a formal bug bounty program, we would like to express our gratitude to those who report valid vulnerabilities by offering a place in our Security Researcher Hall of Fame (with your permission).
​
We thank you for helping to keep Concordia and our users safe.
​
​
** END OF DOCUMENT **
​
Title: Vulnerability Disclosure Policy
Author: Rick Smith – Dept Coordinator
Rev: 1, Date: 01/01/2025
Customer: ALL Applicable Market(s): ALL
Project(s): ALL
Dept: ALL
Final Approval by: GM Sadat - Director
​
​