Responsible Disclosure Policy

At Prima, we take the security of our systems and data very seriously. We recognize the valuable role that security researchers and members of the public play in helping us identify and address potential security vulnerabilities. We encourage responsible disclosure of any vulnerabilities found in our systems, applications, or services to help us maintain the highest level of security for our customers.

This policy applies to all Prima systems, applications, and services, including third-party systems that we use. We reserve the right to update or modify this policy at any time without prior notice.

I found a vulnerability, what should I do?

If you have identified a potential vulnerability, we encourage you to report it to us as soon as possible, following these guidelines:

1. Do not take advantage of the vulnerability and do not perform any activity that can damage us or our users, or disrupt the impacted system or service.
2. Respect the privacy of our users and employees: you are not allowed to access or share information that you do not own.
3. Do not publicly disclose any information about the potential vulnerability, even after it has been remediated and the risk has been mitigated.
4. Provide us with all the necessary details to reproduce the vulnerability, including but not limited to: the steps taken to identify it, its location and impact, and any proof-of-concept code or scripts you produced.
5. Send us the report for the potential vulnerability you found (see the “How to report” section). We also accept anonymous reports. However, please avoid disposable email addresses, since we might need to contact you after the first report.

How to report

To report a potential vulnerability, you can send us an email to security-report@prima.it, following the guidelines from the previous section.

If you don’t feel comfortable sharing this information via plain text email, you can contact us at the same email address, and we will coordinate the establishment of an alternative secure channel.

What we promise

If you have followed the instructions above, we will not take any legal action against you concerning the report.

We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. Remember that we also accept reports under a pseudonym or anonymous.

Please note that Prima does not currently offer bounties or have a Hall of Fame for security researchers who report vulnerabilities. We appreciate and encourage responsible disclosure of vulnerabilities, but we cannot offer monetary or other rewards for such disclosures.