Coordinated vulnerability disclosure statement

At Viterra, the global security of our online systems is a top priority. Despite the constant effort we put into system security, vulnerabilities may still be present. If you discover a potential security risk, please inform us so we can take steps to address it.

What to do: 

  1. Submit your findings via the following link: https://app.zerocopter.com/en/cvd/623850a7-c366-4da7-849c-b011a6c6aa12
  2. Report the vulnerability as quickly as reasonably possible to minimise the risk of a security breach.
  3. Report in a manner that safeguards the confidentiality of the report so that others do not gain access to the information. For example, do not share the report or upload it to a public website.
  4. Provide sufficient information to reproduce the problem so we can resolve it. Usually, the IP address or URL of the affected system, and a description of the vulnerability will be sufficient. Please take into account that more complex vulnerabilities may require further explanation.
  5. Closely follow our instructions in the period after you have submitted the vulnerability.

What not to do:

  1. Unnecessarily break any applicable law or regulations, both when investigating and when reporting a vulnerability or problem.
  2. Reveal the vulnerability or problem to others until it is resolved.
  3. Build a back door in our information online systems with the intention of using it to demonstrate the vulnerability. Doing so can cause additional damage and create unnecessary security risks.
  4. Utilise a vulnerability further than necessary to establish its existence.
  5. Abuse or take advantage of the vulnerability; for example, by downloading, copying, modifying, or deleting data on the system. For example, instead of downloading data to show the extent of the vulnerability, you can make a directory listing of the system.
  6. Disrupt or otherwise make changes or adjustments to the system.
  7. Repeatedly gain access to the system or share access with others.
  8. Use brute force attacks, attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties to gain access to the system.

What we promise:

  • We will respond to your report as soon as reasonably possible.
  • Reporting under a pseudonym or anonymously is possible.
  • We will keep you informed as much as reasonably possible of the progress towards resolving the problem.
  • When releasing public information concerning the reported problem, we may credit you as the discoverer of the problem (unless you prefer otherwise).

Note:

It is unfortunately not possible to guarantee in advance that no legal action will be taken against you. We hope to be able to consider each situation individually. We consider ourselves morally obligated to report you if we suspect the weakness or data are being abused, or that you have shared knowledge of the weakness with others. You can rest assured that an accidental discovery in our online environment will not lead to prosecution.

Read our Cookies Policy