Last Updated: January 2026 

Purpose

The purpose of this policy is to define a clear and secure process for reporting security vulnerabilities in our products, services, and infrastructure. We value the work of security researchers and encourage responsible disclosure to help protect our users, customers, and systems.

This policy is designed to ensure vulnerabilities are reported, investigated, and remediated in a timely and coordinated manner.  
 

Scope

This policy applies to:

  • All production systems, applications, APIs, and services operated by the organization
  • Public-facing websites, web applications, and APIs
  • Cloud infrastructure and supporting services under our control

Out of scope:

  • Third-party services not operated or controlled by the organization
  • Denial-of-Service (DoS/DDoS) testing
  • Social engineering (phishing, vishing, physical attacks)
  • Brute-force attacks or credential stuffing
  • Automated scanning that significantly impacts system availability

 

Reporting a Vulnerability

Security vulnerabilities should be reported as soon as possible via one of the following channels:

Email:  

   

MyForsk portal (all regions):

             https://www.myforsk.com  

Reports should include, where possible:

  • A clear description of the vulnerability
  • Affected system, endpoint, or component
  • Steps to reproduce the issue
  • Potential impact and attack scenarios
  • Any proof-of-concept (screenshots, logs, sample requests), avoiding sensitive data

 

Please do not publicly disclose the vulnerability before coordination and remediation are complete.  
 

Safe Harbor

We commit to not pursuing legal action against individuals who:

  • Act in good faith
  • Follow this policy
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it
  • Do not access, modify, or delete data belonging to others
  • Do not intentionally degrade system availability

 

This safe harbor applies only to activities conducted in compliance with this policy. 

Our Commitment

Upon receiving a vulnerability report, we will:

  • Acknowledge receipt within 5 business days
  • Assess and validate the reported issue
  • Prioritize remediation based on severity and risk
  • Provide status updates where appropriate
  • Notify the reporter once the issue is resolved or mitigated

 

Critical vulnerabilities may be addressed on an accelerated timeline. 
 

Disclosure Timeline

We aim to remediate vulnerabilities as quickly as possible. Public disclosure should only occur:

  • After remediation is complete, or
  • By mutual agreement between the reporter and the organization

 

If a coordinated disclosure timeline is required, we will work collaboratively with the reporter to define appropriate milestones. 
 

Confidentiality

All vulnerability reports are treated as confidential. We ask reporters to maintain confidentiality until remediation is complete, unless otherwise agreed in writing.
 

Recognition

Where appropriate, we may acknowledge researchers for responsible disclosures (e.g., release notes, hall of fame), subject to the reporter’s consent. We do not currently offer monetary rewards unless explicitly stated otherwise.
 

Changes to This Policy

This policy may be updated periodically to reflect changes in our systems, processes, or regulatory requirements. The latest version will always be published on our website.