CNA - Disclosure Policy

How to report an issue

Have you discovered a potential security vulnerability affecting software within the CNA scope?

Please include in your report

• A detailed description of the vulnerability
• The product and version affected
• Steps to reproduce (if possible)
• Potential impact.

We encourage the use of encryption for sensitive information. Our PGP key can be requested at the above email address.

Scope

This disclosure policy applies to vulnerabilities discovered in software products developed and maintained by Almaviva S.p.A., including but not limited to:

• CybeRisk Vision – Joshua
• CybeRisk Vision – Jiano
• CybeRisk Vision – Sofia
• Giotto platform.

Responsible Disclosure Commitment

Almaviva S.p.A. is committed to working with the security community to protect our customers and products. We will not pursue legal action against individuals who report vulnerabilities responsibly and in good faith, in accordance with this policy.

What to expect from us

• Acknowledgement: We will acknowledge receipt of your report within 5 business days
• Initial assessment: We will provide an initial evaluation of the report within 10 business days
• Status updates: We will keep you informed of the remediation process at key stages
• Coordination: If the issue is confirmed as a vulnerability, we will coordinate with you regarding public disclosure, giving appropriate credit if desired
• Confidentiality: We ask that you do not disclose information about the vulnerability publicly until we have confirmed and addressed it.

The CNA scope is limited to proprietary solutions under the direct control of Almaviva S.p.A.

Disclosure timelines

• Day 0 (report received): We acknowledge receipt within 5 business days
• Within 30 days: We aim to provide confirmation of the vulnerability, an assessment of its impact, and a remediation plan or timeline
• Within 90 days: Our target is to release a fix, patch, or mitigation. In some cases, this may take longer; if so, we will keep the reporter informed
• Public disclosure: We will coordinate with the reporter to disclose the vulnerability responsibly once a fix is available, or after 90 days from confirmation if no fix is yet released (following industry best practices).

Responsible Disclosure Commitment

Almaviva S.p.A. is committed to working with the security community to protect our customers and products. We will not pursue legal action against individuals who report vulnerabilities responsibly and in good faith, in accordance with this policy.