top of page

Vulnerability Disclosure Policy

  1. Introduction

 

This Vulnerability Disclosure Policy (VDP) articulates Silo's commitment to cybersecurity and the crucial role of the security research community in identifying vulnerabilities. Silo acknowledges the value of community contributions to its digital safety and aims to facilitate a collaborative environment where security vulnerabilities can be reported responsibly and addressed promptly. This policy provides the framework for such collaboration, ensuring protections for researchers and a clear process for submission and resolution of reports.


 

  1. Scope and Applicability

 

The VDP applies to all digital assets managed by Silo, including but not limited to our websites, online services, and internet-connected products. We encourage security researchers, customers, and partners to report potential vulnerabilities identified in any of Silo's products or services. This policy clarifies the boundaries for authorized testing to protect our users' privacy and data integrity while enabling productive security research



 

  1. Authorized Testing and Research Guidelines

 

Silo encourages the responsible disclosure of vulnerabilities and supports ethical security research on its digital assets. We believe in working collaboratively with the security community to identify and mitigate vulnerabilities to enhance our users' security and privacy. Researchers engaging in security testing must adhere to legal and ethical guidelines, ensuring their activities do not harm users, Silo's infrastructure, or data.


 

  1. Ethical Research Guidelines

 

Researchers should:

  • Conduct testing only within the scope defined by this policy.

  • Avoid violating privacy, destroying data, or interrupting or degrading our services.

  • Refrain from using any exploit to compromise data or access systems beyond the necessary extent to demonstrate the vulnerability.

  • Provide detailed reports with reproducible steps if possible.

  • Utilize provided communication channels for secure report submission.


 

  1. Prohibited Testing Activities

 

The following activities are strictly prohibited:

  • Network denial of service (DoS or DDoS) tests.

  • Physical attacks against Silo offices or data centers.

  • Social engineering attacks against our employees or contractors.

  • Any testing on applications or systems not explicitly authorized for research.

 

By establishing these guidelines, Silo aims to foster a positive and productive relationship with the security research community while protecting the interests and privacy of its users.


 

  1. Vulnerability Reporting Process

Silo values the contributions of the security research community and recognizes their importance in maintaining the security of our systems and data. To report a vulnerability, researchers should direct their findings via email to info@silo.com. This ensures that the appropriate security team receives reports and can be acted upon promptly.


 

  1. How to Submit a Vulnerability

When submitting a vulnerability, we ask researchers to provide as much information as possible to help us understand the nature and severity of the issue. This includes a detailed description of the vulnerability, the steps to reproduce it, and any other relevant information that could assist in the resolution process. Silo is committed to acknowledging the receipt of all vulnerability reports within 5 business days.


 

  1. Information to Include in a Report

A comprehensive vulnerability report increases the efficiency of our response and resolution process. Therefore, we encourage the inclusion of:


 

  • A clear and concise description of the observed vulnerability.

  • Detailed steps required to reproduce the issue, including any necessary URLs, code samples, or commands.

  • Any potential implications of the vulnerability, including how it might be exploited.

  • Suggestions for mitigating or resolving the issue, if any.

Silo is dedicated to working closely with the security research community. We commit to evaluating all reported vulnerabilities seriously and will communicate openly with the researcher(s) to resolve substantiated issues within a reasonable timeframe, considering the complexity and severity of the issue.


 

  1. Response and Resolution Process

Upon receiving a vulnerability report, Silo initiates a structured response and resolution process to ensure timely and effective handling of the issue.

  1. Initial Acknowledgment

Silo is committed to acknowledging receipt of all vulnerability reports within 5 business days. This initial response will confirm that the report has been received and provide an estimated timeline for assessment and feedback.

  1. Assessment and Validation

Our security team will conduct a thorough assessment and validation of the reported vulnerability to understand its impact and severity. This phase involves replicating the issue based on the provided information and determining the potential implications for our systems and users.

  1. Resolution and Closure

Following the assessment, Silo will prioritize the resolution of the vulnerability based on its severity and the potential impact on our users and systems. Our goal is to resolve substantiated vulnerabilities within 90 days from the report, depending on the complexity of the issue. Upon resolution, we will communicate the outcome to the reporter and discuss the disclosure process. We strive for transparency and collaboration with the reporting individual or organization throughout this process, ensuring that efforts to enhance security are recognized and appreciated.


 

  1. Communication Protocol with Researchers

Silo is committed to maintaining an open and transparent communication channel with security researchers throughout the vulnerability resolution process. Upon receiving a vulnerability report, our security team will acknowledge receipt within 5 business days, providing the researcher with a point of contact. We keep researchers informed of the progress in evaluating and addressing the reported issue, ensuring timely updates on our findings, planned remediation actions, and resolution timeline. This collaborative approach fosters mutual respect and aims to build a constructive relationship between Silo and the security research community.


 

  1. Rewards and Recognition

Silo acknowledges the efforts of security researchers with rewards that aim to be both appreciative and meaningful. Recognizing the diverse contributions made, rewards are determined on a case-by-case basis, reflecting the significance of each finding to Silo's security posture.

  1. Social Media Recognition

Silo is pleased to offer recognition through social media shoutouts for those researchers interested in public acknowledgment. This option allows contributors to gain visibility in the cybersecurity community and beyond, highlighting their skill and dedication to a wider audience.

  1. Bug Bounty Rewards

For eligible vulnerability reports, Silo provides store credit rewards, which can be used to purchase Silo products directly from our website. The amount of store credit is determined based on the severity and impact of the reported vulnerability. Our program specifies the criteria for reward eligibility and the process for credit allocation, aiming to encourage meaningful contributions to our security posture.

  1. Legal Considerations and Safe Harbor

Silo's Vulnerability Disclosure Policy includes a Safe Harbor clause to protect researchers from legal action for any findings reported in good faith and in accordance with this policy. We are committed to ensuring that ethical research conducted under the guidelines of this policy is respected and protected. Our aim is to foster a positive relationship with the security community by clarifying legal boundaries and encouraging responsible disclosure.

  1. Policy Review and Update Mechanism

This policy is subject to periodic review and updates to reflect the evolving cybersecurity landscape and emerging best practices. Silo is dedicated to maintaining an effective vulnerability disclosure program and will engage with the security community to gather feedback and make necessary adjustments. Updates to the policy will be communicated through our official channels to ensure that researchers are informed of any changes that may affect their submissions.

bottom of page