Vulnerability Disclosure Policy
How to report a security vulnerability to ADNT Sàrl. Coordinated disclosure, single point of contact, and commitments aligned with the Cyber Resilience Act (CRA).
The security of our products and our customers is a priority. If you believe you have discovered a vulnerability in one of our firmware, products, or services, we invite you to report it responsibly. This policy describes how to proceed and what we commit to in return.
It is part of a coordinated vulnerability disclosure (CVD) process, aligned with the requirements of the European Cyber Resilience Act (Regulation (EU) 2024/2847).
Single point of contact
- Email: security@adnt.io
- security.txt: adnt.io/.well-known/security.txt
- PGP key: ADNTIO-Security.asc
Fingerprint:
F8C0 2587 6310 2591 ED54 CC9D DC19 021C F9E2 2A58
For sensitive reports, please encrypt your message with our PGP key.
How to report
To help us handle your report quickly, please include:
- a description of the vulnerability and its potential impact;
- the affected product, firmware, or service, and its version;
- the steps to reproduce (proof of concept, logs, screenshots);
- any information allowing us to reach you back.
Our commitments
- Acknowledgement within 48 hours.
- Initial triage — severity assessment and determination of any active exploitation — without delay after acknowledgement, and within 72 hours at the latest.
- Regular updates on the progress of the investigation and the fix.
- Credit for your contribution (if you wish) once the vulnerability is fixed.
Reporting to authorities (CRA, Article 14)
If triage reveals an actively exploited vulnerability affecting a product we have made available on the European market, we notify the CSIRT designated as coordinator and ENISA through the Single Reporting Platform, according to the Cyber Resilience Act deadlines:
- early warning within 24 hours of becoming aware;
- full notification within 72 hours;
- final report within 14 days after a corrective measure is made available.
These reporting obligations apply from 11 September 2026.
Coordinated disclosure
We follow a principle of coordinated disclosure: we publish the details of the vulnerability once a fix is available, in coordination with you, within a reasonable timeframe (typically 90 days).
Good-faith commitment
We commit not to pursue legal action against anyone who:
- acts in good faith and in compliance with this policy;
- avoids any harm to the confidentiality, integrity, and availability of our services and those of our customers;
- does not disclose the vulnerability before the coordinated disclosure process is complete.
Out of scope
The following are not considered vulnerabilities, unless a concrete impact is demonstrated:
- reports from automated scanners without proof of exploitability;
- denial-of-service attacks (DoS / DDoS);
- social engineering and phishing targeting our staff;
- missing best practices without a concrete attack vector (headers, TLS configuration, etc.).
📧 Reporting: security@adnt.io