Product Security and Coordinated Vulnerability Disclosure (CVD) Policy

ePati Cyber Security is one of Turkey’s leading cyber security product developers. We prioritize the philosophy of “Secure Product” in our product/software development lifecycle, ensuring our products meet the highest assurance standards.

We maintain a strong collaboration with our customers through our commitment to their security and our agility in research and development.

1. Scope

Our product security policies cover the following products, services, and systems:

Supported Products / Versions
Mobile, Desktop, and Web applications developed by us.

This policy is not applicable to products that have reached the End-of-Life stage.

2. Vulnerability Reporting Process

It is essential that security researchers act lawfully and in good faith. ePati welcomes reports from independent researchers, industry organizations, suppliers, customers, and other sources interested in product or network security.

Individuals reporting a vulnerability are expected to follow the steps below:

2.1. Communication Channel

Vulnerabilities must only be reported via an encrypted communication channel to the following official Security Contact Point (PSIRT) email address:

Email: psirt@epati.com.tr

2.2. Required Information

The report must include sufficient technical detail to allow us to reproduce the issue:

Name/type of the vulnerability (e.g., XSS, SQLi, Buffer Overflow).
Affected Product Model and Version.
Step-by-step instructions and proof-of-concept (PoC) codes to reproduce the vulnerability.
Potential impact and risk level of the vulnerability (CVSS score suggestion).
Researcher’s contact information.

2.3. Responsible Disclosure

Researchers commit not to disclose the vulnerability to any third party, public channel, or social media before reporting it or before a fix/update is released. This is vital for protecting our customers.

3. Incident Response and Resolution Process

Vulnerability notifications made to our products will be managed according to the following PSIRT (Product Security Incident Response Team) procedure:

3.1. Acknowledgment (5 Business Days)

Within a maximum of five (5) business days from the receipt of the report, an acknowledgment of receipt is sent to the sender, and a tracking number (Case ID) is assigned.

3.2. Evaluation and Verification (15 Business Days)

The PSIRT verifies the vulnerability and determines a risk priority using the CVSS (Common Vulnerability Scoring System) score. If necessary, the researcher will be requested to provide additional information.

3.3. Remediation and Planning (Negotiated Period)

A fast remediation plan is initiated for critical vulnerabilities.
The resolution time is determined based on the complexity of the vulnerability. Our standard resolution target is 90 days, but this period can be negotiated in collaboration with the researcher, depending on the nature of the vulnerability.
During this period, workarounds and signatures (e.g., NGFW IPS signature) may be created to ensure product security.

3.4. Disclosure Coordination (CVD)

When the security update is ready, ePati sets a date for the public announcement of the vulnerability and the solution (Generally the day the patch is released).
ePati issues an official Security Advisory for the vulnerability.
Upon the researcher’s request, and provided policy rules are adhered to, their name may be included in the published advisory.

4. Product Security and Integrity

Our ePati Secure Development Lifecycle (SDLC) policy is based on the principle of “Security by Design, Security by Default”.

Comprehensive tools and testing processes are operated to ensure product security, including the following:

Static Application Security Tests (SAST) integrated into the build processes.
Software Bill of Materials (SBOM) analysis to detect risks in open-source software (OSS) and third-party libraries.
Manual code reviews performed by our expert engineers.
Internal penetration tests conducted periodically.

All vulnerabilities identified during these efforts are rigorously addressed.

5. Disclaimer of Legal Liability

While this policy grants security researchers authorization to conduct research on the product, it states that researchers must strictly avoid the following actions:

Causing potential or actual harm to ePati, its systems, or applications.
Attempting to access unauthorized data or exfiltrate data.
Conducting Denial of Service (DoS) attacks or disrupting the normal operation of the product.
Sharing the vulnerability with other parties before making it public.
Attempting social engineering against ePati employees or customers.

Please note that if your security research involves networks, systems, data, or applications belonging to third parties other than ePati, those parties may pursue legal action. As ePati, we do not have the authority to grant permission for security research conducted on assets belonging to other organizations.

Although we adhere to the principle of keeping reported information confidential, we remind you that we may be required to share this information in cases of court orders or legal necessity.

Furthermore, we wish to state that this policy does not imply that we will defend, indemnify, or protect you in legal proceedings initiated by third parties resulting from your actions.

In the event of non-compliance with these rules, ePati reserves the right to exercise its legal rights.

Antikor Unified Cyber Security Systems

Antikor Dual Layer SD-WAN

Antikor MVZ - Zone SSO SSL VPN Gateway

Antikor ZTSA - Zero Trust Service Access

Portal

Lifecycle

Documents

Partnership Program

Become Partner

Access

epati Cyber Security Technologies

Press & Events

Careers

Privacy