loader image
REQUEST DEMO
LEGAL

Scality Vulnerability Disclosure Policy

Introduction
Systems in Scope
Out of scope
Our commitments
Our Expectations
Vulnerability Reporting
After Submitting a report
Legal protection

Introduction

Scality is committed to ensuring the safety and security of our customers and products. We recognize the invaluable role that the independent security research community plays in helping us achieve this goal. This policy provides guidelines for security researchers to responsibly report vulnerabilities discovered in our software and systems, and outlines our commitment to engaging with them in a collaborative and non-adversarial manner.

We promise to investigate all reported vulnerabilities promptly and to work diligently to correct valid issues.

Systems in Scope

This policy applies to any digital assets owned, operated, or maintained by Scality.
All version deployed et maintained of ARTESCA and RING

Category In-Scope Assets & Components
I. Scality Products All currently supported and maintained versions of Scality RING (including RING XP for high-performance use cases) and Scality ARTESCA.
II. Management Interfaces The administrative consoles, graphical user interfaces (GUIs), and command-line interfaces (CLIs) used to manage Scality RING and ARTESCA deployments, including the Scality Cloud Monitor service.
III. APIs and Protocols The implementation of the S3 Object Storage API (including S3 Object Lock, IAM, and MFA features) and any other proprietary APIs or protocols used for data access, management, or replication within Scality products.
IV. Corporate Web Assets Primary corporate website (scality.com) and all official subdomains and associated applications directly supporting product access (e.g., customer portals).

Out of Scope

Assets or other equipment not owned by parties participating in this policy.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Third-Party Systems Assets or other equipment not owned, controlled, or managed by Scality (e.g., third-party integrated services, partner websites, and externally hosted platforms). Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
Vulnerabilities found in third-party or open-source software libraries used by Scality products (ARTESCA and RING) are outside the scope of this policy. Please report these vulnerabilities directly to the respective vendor or open-source maintainer. We ask that you notify us of the report so we may track the issue internally and prepare to deploy the official fix.
Prohibited Testing Any attempts at Denial of Service (DoS, DDoS), high-volume automated scanning, or excessive resource consumption.
Social Engineering Any form of phishing, spamming, or physical security attempts against employees, customers, or Scality facilities.
User Data Interference Accessing, modifying, or deleting Scality customer or employee data, even if discovered unintentionally.

Our Commitments

When working with us, according to this policy, you can expect us to:

  • If you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
  • Within 3 business days, we will acknowledge that your report has been received.
  • We will make efforts to be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  • We will maintain an open dialogue to discuss issues.
  • In certain circumstances, we may deviate from this Policy, such as:
    Imminent Risk:
    – If the vulnerability poses an immediate risk to our customers, we may need to disclose it publicly without prior coordination.
    – Legal Requirements: We may be required to disclose vulnerabilities due to legal or regulatory obligations.

Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
  • Report any vulnerability you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Provide us a reasonable amount of time at least to Inform our customers and find remediation or mitigation before you disclose it publicly;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
  • You should only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

Vulnerability Reporting

Please report security issues via http://scality.com/, providing all relevant information. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 7 calendar days. The more details you provide, the easier it will be for us to triage and fix the issue.

We strongly encourage you to include the following details in your submission:

  • The name and the version of the product/asset impacted by the vulnerability
  • A clear description of the vulnerability type and its potential impact.
  • The exact affected component, module, URL, .. (all technical information related to the vulnerability).
  • Vulnerability Attach Scenario description: Detailed, step-by-step instructions (a Proof of Concept) to reproduce the vulnerability. Any necessary tools, code, or configurations.
  • Recommended fixes or mitigations if any

After Submitting a report

  • Once your report is submitted, our goal is to acknowledge it within 3 calendar days and initiate the triage process in a timely manner.
  • The prioritization of reported issues for resolution is determined by assessing their impact, severity, and exploit complexity. Please be aware that prioritizing and addressing vulnerability reports may take some time as we focus on the remediation process.
  • After the original reporting from your side, we will use additional communication channels such as email. The option to secure these communications using encryption will be given from the original reporting form.
    We will promptly notify you once the reported vulnerability has been successfully resolved.

Legal protection

If you make a good faith effort to comply with this policy during your security research, Scality commits to the following:

  • We will consider your research to be authorized under relevant anti-hacking laws (such as the U.S. Computer Fraud and Abuse Act).
  • We will not initiate or recommend legal action against you for accidental, good-faith violations of this policy.
  • If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with our VDP.

Version 1.3
Date 2026-01-13