Responsible Disclosure Policy
Last Updated: 4/22/2024
Introduction
Maintaining confidentiality, integrity, and availability of Grid Dynamics information, data, services, systems, and networks is essential and a top priority for Grid Dynamics. We encourage our users and members of the security community to report possible vulnerabilities and incidents privately and responsibly so that we can address these issues quickly. However, at the moment we do not run a formal Bounty Program and do not offer monetary rewards for vulnerability or incident disclosures.
This policy sets out the processes to report to Grid Dynamics any incident, suspicion of an incident, or vulnerability found on any externally exposed Grid Dynamics systems. An incident involves the loss of, unauthorized access to, or unauthorized disclosure of, non-public information. A vulnerability is any technical flaw that can be found on a system that could lead to an incident or to an interruption of the provided service.
This policy applies to any and all incidents and vulnerabilities you are considering reporting to us. We recommend that you read this policy fully before you report an incident or vulnerability, and that you always act in compliance with it. We value those who take the time and effort to report security vulnerabilities according to this policy.
Reporting
If you believe you have found an incident or a security vulnerability, please submit your report to us using abuse@griddynamics.com. Any reports regarding personal data privacy issues and privacy regulations, GDPR and CCPA included, should be submitted to dpo@griddynamics.com instead. Please note that reports sent to any other Grid Dynamics addresses including addresses of individual employees will be discarded.
In your report, please include details of:
If you want to report an online leak of sensitive Grid Dynamics information, please provide a working reference link to it or, if not applicable, a sample of the sensitive information exposed and how you have discovered it.
If you have found a lost Grid Dynamics-owned laptop or other device, please include its make, serial number, and where the device was discovered.
This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as subdomain takeovers.
What to expect
After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days.
We’ll also aim to keep you informed of our progress. Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. Our goal is to address reported, legitimate issues as quickly and efficiently as possible, however, handling disclosed issues may not be easy or straightforward. While some issues can be analyzed and resolved quickly, others may be more complex or have a broader impact that requires more careful work. You are welcome to inquire about the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation and ensure users are safe and protected. If we can, we will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately. Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to provide guidance to affected users and ensure any remediation is fully rolled out before public disclosure, so please do continue to coordinate any public release with us.
Guidance
You must NOT:
You must:
Legalities
This policy is designed to be compatible with good industry practices on responsible incident reporting and vulnerability disclosure. It does not give you permission to act in any manner that is inconsistent with cybercrime or privacy/data protection laws, or which might cause Grid Dynamics, its affiliates, customers, or partners to be in breach of any legal obligations and/or privacy regulations.
Contact Information
If you have any questions, comments, or concerns about our processing activities, please contact:
Grid Dynamics, US
5000 Executive Parkway, Suite 520
San Ramon, CA 94583.
dpo@griddynamics.com
If you are based in the EEA or the UK, the entity responsible for the processing of your information is:
Grid Dynamics, Poland
sp. z o.o. with its registered office in Kraków, al. 3 May 9, 30-062 Kraków, KRS number 0000511476, NIP number 5252588225, REGON number 14727132800000.
Get in touch
Let's connect! How can we reach you?
Thank you!
It is very important to be in touch with you.
We will get back to you soon. Have a great day!
Something went wrong...
There are possible difficulties with connection or other issues.
Please try again after some time.