Almaviva S.p.A. – CNA Disclosure Policy

1. How to report an issue

If you have discovered a potential security vulnerability affecting software within the CNA scope, please report it responsibly to:

Email: cve-reporting@almaviva.it

Please include in your report:

  • A detailed description of the vulnerability
  • The product and version affected
  • Steps to reproduce (if possible)
  • Potential impact

We encourage the use of encryption for sensitive information. Our PGP key can be requested at the above email address.

2. Scope

This disclosure policy applies to vulnerabilities discovered in software products developed and maintained by Almaviva S.p.A., including but not limited to:

  • CybeRisk Vision – Joshua
  • CybeRisk Vision – Jiano
  • CybeRisk Vision – Sofia
  • Giotto platform

The CNA scope is limited to proprietary solutions under the direct control of Almaviva S.p.A.

3. Out of Scope

The following are outside the scope of this policy:

  • Vulnerabilities in software products not developed and maintained by Almaviva S.p.A.
  • Solutions developed by Almaviva S.p.A. but not under its direct control (e.g., white-label or custom solutions deployed and maintained exclusively by third parties or clients).
  • Issues that are already publicly known without evidence of exploitation.
  • Social engineering attacks, physical security issues, or denial-of-service (DoS) testing.

4. What to expect from us

  • Acknowledgement: We will acknowledge receipt of your report within 5 business days.
  • Initial assessment: We will provide an initial evaluation of the report within 10 business days.
  • Status updates: We will keep you informed of the remediation process at key stages.
  • Coordination: If the issue is confirmed as a vulnerability, we will coordinate with you regarding public disclosure, giving appropriate credit if desired.
  • Confidentiality: We ask that you do not disclose information about the vulnerability publicly until we have confirmed and addressed it.

5. Disclosure timelines

  • Day 0 (report received): We acknowledge receipt within 5 business days.
  • Within 30 days: We aim to provide confirmation of the vulnerability, an assessment of its impact, and a remediation plan or timeline.
  • Within 90 days: Our target is to release a fix, patch, or mitigation. In some cases, this may take longer; if so, we will keep the reporter informed.
  • Public disclosure: We will coordinate with the reporter to disclose the vulnerability responsibly once a fix is available, or after 90 days from confirmation if no fix is yet released (following industry best practices).

Responsible Disclosure Commitment

Almaviva S.p.A. is committed to working with the security community to protect our customers and products. We will not pursue legal action against individuals who report vulnerabilities responsibly and in good faith, in accordance with this policy.