Responsible Disclosure

  

Dawex commitment on security vulnerabilities

Dawex security team is committed to verify and solve any discovered potential security vulnerability. Nevertheless, any technology can contain bugs and vulnerabilities can sometimes be present. Dawex truly encourages responsible reporting of any security issue that someone may find on the data marketplace.

If a vulnerability is found, our teams are dedicated to address it quickly and transparently.

Our policy on the responsible disclosure of vulnerabilities

Responsible disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended. Dawex philosophy relies on the collaboration between Dawex security team and security researches as follows:

Dawex Security Team

  • Prioritizes efforts to resolve the  reported security issues and communicates transparently
  • Respects security researchers,  giving them public recognition and rewards for their contributions when appropriate
  • Does not take any punitive actions against finders

Security Researchers

  • Respect the rules and follow the process prescribed by Dawex
  • Respect all enforceable data regulations, and strive to respect data privacy
  • Assist in clarifying and support their reports when needed and communicate in good faith with the Dawex security team

Reporting a vulnerability

As a Security Researcher, if you believe you have found a vulnerability, please submit your report including a detailed description of your discovery with clear, concise replicable steps or a working proof-of-concept. Please, be as thorough as possible. Dawex security team may contact you for additional details.

To submit a report to the security team, email at: security at dawex.com.

Need to send us sensitive information? Use this PGP public key.

We appreciate your support.

Dawex disclosure process ‌

The content of the report will initially remain non-public to allow the Dawex security team enough time to design, test and publish a remediation. When the vulnerability is closed, public disclosure may be requested by either parties. We encourage a mutual open communication regarding disclosure timelines:

  • If neither party raises an objection, the content of the report will be made public within 90 days.
  • If the Dawex security team has evidence of active exploitation or imminent harm, it may immediately provide remediation details to the public so that users can take protective action.
  • Some vulnerabilities may require a longer time frame for investigation. In this case, the report may remain non-public to ensure an adequate amount of time to address the issue. Throughout this process,  the security team will remain in open communication with the Security Researcher.
  • After a 180 day period, if the security team is unable to provide a vulnerability disclosure timeline, the content of the Report may be publicly disclosed by the Security Researcher.

The big security picture

The responsible disclosure of vulnerabilities is part of a larger Dawex effort to ensure our technology provides safe and secure data exchange environments. Our dedication to provide proof, continuity of service, identification, trust and confidentiality is seeped into every aspect of the Dawex Data Exchange Platform.  

After obtaining SOC 1 Type I compliance, SOC 2 Type I and SOC 3, Dawex completed SOC 2 Type II Security and Availability Audit Certification in April 2022 — building on our commitment to deliver secure data exchanges.

Explore our security policy and commitments

Product

Solutions

Why Data Exchange

About us

SOC-SizedLogo

SOC 2 & SOC 3 Security and Availability Certifications

Awarded “Tech Pioneer” by the World Economic Forum

©2024 Dawex Systems. All rights reserved.