Responsible Disclosure

Have you discovered a vulnerability? Let us know.

At PVI Holdings, Inc. and its subsidiaries, we
naturally consider the security of our systems and our network to be of the
utmost importance. We are convinced that good security is essential to maintain
the trust that our clients, suppliers and employees place in us. Despite the
care invested in the security of our systems, however, it is still possible
that vulnerabilities could be discovered.

By means of our responsible disclosure policy, we ask anyone who has discovered a
vulnerability to report it as quickly as possible, so that we can take adequate
countermeasures. We would be happy to work with you to solve the vulnerability.
Our responsible disclosure policy is
not an invitation to actively scan our company network in detail to discover
vulnerabilities, as we are already monitoring the network.



We ask that you:


  • Report your discoveries as quickly as possible to
  • If you would like to encrypt your report before you send it,
    please inform us in your e-mail and we will give you instructions;
  • Provide us with enough information to reproduce the
    vulnerability, so that we can solve it as quickly as possible. Usually the IP
    address or URL for the affected system and a description of the vulnerability
    are sufficient, but more complex vulnerabilities may require additional
  • Not to abuse the vulnerability by downloading, viewing, deleting
    or editing data;
  • Not sharing vulnerabilities with others until they can be
    solved. If you have inadvertently obtained confidential information, then we
    ask that you delete the data immediately;
  • Not to use attacks on the physical security or applications of
    third parties, social engineering, distributed denial of service (DDoS), spam
    or hacking tools such as vulnerability scanners.



What can you expect:


  • We will always take your report seriously. We will also
    investigate any suspected vulnerabilities;
  • We will reply to your report within 5 working days with our
    evaluation of the report and an expected date for the solution;
  • We will keep you informed of the progress made in solving the
  • If you abide by the conditions stipulated above, then we will
    not take legal action against you pertaining to the report. The Public
    Prosecutor’s Office retains the right to decide whether additional
    investigation is necessary;
  • We will treat your report with confidentiality, and will not
    share your personal data with third parties without your permission unless
    required to do so by law, such as when your data are requested by the police or
    the courts;
  • If you submit an anonymous report, we may not be able to contact
    you with information about the subsequent steps and the progress made in
    solving the vulnerability;
  • We may express our appreciation with a maximum value of $50. This will be based on the severity of the vulnerability and the quality of the report;
  • At your request, we can mention your name as the person who
    discovered the vulnerability in any communications about the incident;
  • We strive to analyze, and
    if needed solve, any vulnerabilities as quickly as possible after they are
    discovered. We will also keep all stakeholders informed about the issue.

This responsible
policy is based on the Responsible Disclosure Guideline
published by the National Cyber Security Centre, and the sample Responsible
Disclosure written by Floor Terra.