Vulnerability Disclosure Policy
JIG-SAW INC. (hereinafter, the "Company," "we" "us" or "our") will disclose information on vulnerabilities in its products by the following process, to ensure the security of its products in response to new vulnerabilities that are discovered from day to day, and to protect its customers from cyber-attacks.
Responses to vulnerability information for the Company's products will be carried out by its Product Security Incident Response Team (PSIRT).
Obtaining Vulnerability Information
For information regarding product vulnerabilities, please refer to the following guidelines, and notify our Support Center.
After confirming receipt of information regarding vulnerabilities sent to us via our Support Center, we will notify you of receipt within three business days. Please note that it may take us longer to reply during the end-of-year and New Year holidays, summer vacation periods, and long holidays periods in Japan (Golden Week etc). When contacting us, please provide the following information.
1) Name and version of the product containing the vulnerability
2) Type of vulnerability (Leakage of user information and Unauthorized Access, etc.) and impact
3) Procedure for reproducing the vulnerability, Proof of Concept code, or attack code
4) Name, telephone number, and email address of the person making the report
Customer information and vulnerability information provided will be managed in accordance with the JIG-SAW Group's Privacy Policy.
Privacy Policy: https://www.jig-saw.com/en/policy-en/
We will express our gratitude to persons who contribute to the discovery and/or resolution of vulnerabilities in our products with good intentions, and will not hold them legally liable in any way.
We may not be able to respond to inquiries that are not specific to our products.
For information about other products not made by the Company, please contact the manufacturer of the relevant product.
Vulnerability Research and Response Measures
Information that you provide about the vulnerability of products will be investigated by our Design and Development Departments to determine the impact of the vulnerability.
If we determine that response measures are necessary, we will implement them in cooperation with our Design and Development Departments. As response measures, we will prepare a repair program, or a workaround.
Information Disclosure
In accordance with the principle of matching dates of publication, we will adjust the date of publication with the reporter and other relevant parties as soon as preparations for publication are complete, and publish the information in the Release Notes of our website.
Release Notes: https://neqto.jig-saw.com/en/news/releases
Principle of matching publication dates (excerpt from the JPCERT/CC guidelines for handling vulnerability-related information)
When handling vulnerability-related information before it is made public, if the vulnerability-related information is made public or leaked to malicious third parties before response measures have been prepared, malicious code (attack code) may be developed and distributed, and attacks on systems affected by the vulnerability may start to occur. As a result, there is a possibility that it may cause harm to product users.
In addition, it is also important to ensure that all parties involved are in agreement when releasing vulnerability-related information, especially in the case of vulnerabilities that affect multiple products. If information is released independently without waiting for the date and time of announcement to the public coordinated between the relevant parties, users of other companies' products may be at risk.
In cases of international coordination with overseas organizations, if the timing of information disclosure is incorrect (information is disclosed independently before the date and time of announcement to the public), overseas organizations may take measures to exclude the developer in question from handling vulnerability-related information in the future.
Disclaimer
If users receive a notification of the release of an updated version of our products (including software) with regard to security vulnerabilities, they should upgrade those products to the relevant updated version.
Information relating to security vulnerabilities is clearly indicated in the "title" section of the release notes, and the content is indicated in the "important topics" section.
Users who do not perform the aforementioned version upgrades are at increased risk of exposure to cyber-attacks or computer system faults.
Users are responsible for performing the aforementioned version upgrades at their own risk. Users who do not perform the aforementioned version upgrades are liable for any and all damages they incur due to accidents or faults that may occur as a result of failure to perform such upgrades; as well as any damage to computer systems, loss or leakage of data, communication failures, or other accidents or malfunctions that may generally be expected to occur as a result of using the Company's products. The Company will not be held liable whatsoever for any such damages.