Report a Vulnerability
Prodia Systems Ltd operates a public coordinated vulnerability disclosure (CVD) process aligned with ISO/IEC 29147:2018 and ENISA guidance. This page is the canonical intake channel for security researchers. The full legal terms — scope, safe harbour and reward posture — are set out in the Vulnerability Disclosure Policy.
1. Triage Service Levels
Every report received through this intake is tracked against a documented SLA. Timelines are measured in Irish business days from receipt of a complete report.
- Acknowledgement: within 3 business days, including a unique tracking reference.
- Initial triage & severity assessment: within 10 business days, using CVSS 3.1 as the baseline.
- Automated SLA tracking: the deadline for every report is monitored automatically. A reminder is sent to you and to our internal security queue when a deadline is 24 hours away (acknowledgement) or 48 hours away (triage), and a breach notification is sent the moment a deadline passes without action. You never need to chase us — the tracker does it on your behalf.
- Status updates: at least every 14 days until the report is resolved or formally closed.
- Remediation targets: Critical within 7 days, High within 30 days, Medium within 90 days, Low at the next maintenance window. Compensating controls are applied where immediate remediation is not feasible.
- Public disclosure window: ordinarily 90 days from report, extendable by mutual agreement where remediation requires coordinated rollout.
2. Safe-Handling Guidelines for Reporters
Researchers acting in good faith and within these guidelines are covered by the safe-harbour terms in our Vulnerability Disclosure Policy. To stay within scope:
- Test only against assets you own or accounts you created for research purposes. Do not pivot into other tenants or production customer data.
- If you incidentally access customer or personal data, stop immediately, do not retain copies, and notify us in the same report.
- Never run denial-of-service, volumetric, social-engineering or physical-security tests against Prodia or its personnel.
- Do not exfiltrate, modify or destroy data beyond the minimum required to demonstrate impact.
- Hold public disclosure for at least 90 days, or longer where Prodia requests additional time and provides a written remediation plan.
- For high-sensitivity findings (pre-authentication RCE, key material, mass data exposure), prefer PGP-encrypted email to security@prodia.dev rather than this web form. Our PGP key and
security.txtare published at/.well-known/security.txt.
3. Secure Intake Form
Use this form for in-scope, lower-sensitivity findings. Submissions are transported over TLS, validated server-side and assigned a tracking reference returned in the response. We recommend you record this reference locally — it will appear in all subsequent correspondence.
4. After You Submit
4.1 Tracking and confidentiality
Each accepted report is logged in a restricted-access security tracker. Access is limited to the on-call security engineer, the responsible product owner, and — where remediation requires it — a named developer under two-person review. Reports are never used for sales, marketing or any non-security purpose.
4.2 What we will share with you
- The assigned tracking reference and severity.
- Whether the report is in scope, duplicate, or out of scope, with reasoning.
- Remediation status and expected disclosure window.
- Optional public credit in our hall of fame once a fix is deployed.
4.3 What we ask of you
- Hold disclosure until we confirm remediation or the agreed window elapses.
- Engage with our triage engineer in good faith if we need clarification.
- Tell us promptly if you discover related issues — they will be tracked under the same reference where appropriate.
5. Out-of-Band Channels
- Email: security@prodia.dev (PGP encouraged for sensitive material).
- security.txt:
/.well-known/security.txt - Postal: Prodia Systems Ltd, 27 Pembroke Street Upper, Dublin 2, D02 X361, Ireland — marked "Security, confidential".