As a globally connected company, and a dedicated group of contributors to the free and open source software community, we at Obsidian Systems place a high value on the continued security and quality of our products and services. Our goal is to ensure that any sensitive information that may be controlled or accessed by our products and belonging to our customers and/or end users is never compromised due to software defects. However, no one can predict all possible vulnerabilities, so we have developed the following vulnerability disclosure policy to address cases where we have fallen short of that goal.
Our disclosure policy covers any public, open licensed software released by Obsidian. This includes:
Open licensed software dependencies of the above which are not released or maintained by Obsidian but by a third party, such as common programming language libraries or packages, are not covered. Please report vulnerabilities in such dependencies to the appropriate maintainers or authors.
Projects for certain clients which are not publicly released or open licensed are not covered. Vulnerabilities only affecting the production sites of an Obsidian client should be reported directly to that client, who may then, at their discretion, forward such reports to us.
Individuals or entities which have discovered security vulnerabilities covered under the scope defined above are termed "researchers" from the point of view of this policy. This does not mean you have to be a "professional" security researcher or expert to engage in this process. Researchers are encouraged to submit vulnerability reports to us as soon as possible when they have reasonable confidence that a specific security flaw exists and can provide actionable evidence, according to the following guidelines.
You can expect us to respond as follows.
Our normal process includes publishing details about the vulnerability within 90 days of the first report. If the issue is severe and a fix is still not released within that time, then we may opt for a single further 90 day extension before publishing.
Researchers who follow the guidelines laid out in this policy and refrain from harming any property or exposing any confidential information of Obsidian or its clients can be assured that we will not initiate legal action against them in relation to the disclosure of a vulnerability. We strive to establish a cooperative, professional working relationship with all those who report security concerns to us in good faith.