WIRELESS ACCESS MANAGEMENT COMMUNICATIONS (WAM COM)


Purpose

to allow for the reporting and disclosure of vulnerabilities discovered by external entities, and anonymous reporting of information security policy violations by internal entities.

Scope

WAM COM's Responsible Vulnerability Disclosure Policy applies to all company core platforms and information security infrastructure, and to internal and external employees or third parties.

Background

WAM COM is committed to ensuring the safety and security of our customers and employees. We aim to foster an environment of trust, and an open partnership with the information security community, and we recognize the importance of vulnerability disclosures and disclosures in continuing to ensure the safety and security for all of our customers, employees and company. We have developed this policy to both reflect our corporate values and to uphold our legal responsibilities to good-faith security researchers that are providing us their expertise and whistleblowers who add an extra layer of security to our infrastructure.

Roles and Responsibilities

WAM COM Information Security Team (IST) is responsible for reviewing, updating, maintaining, and enforcing Vulnerability Policies as well as conducting tests and remediating vulnerabilities and deficiencies. IST can be reached via email. The email addresses are as follows:

Information Security Team: IST@WAMCOMNV.COM

Information Security Officer: ISO@WAMCOMNV.COM

Chief Information Security Officer: CISO@WAMCOMNV.COM

Legal Posture

WAM COM will not engage in legal action against individuals or entities who submit vulnerability reports through our Vulnerability Reporting email inboxes. We openly accept reports for the current company policies, procedures, and practices. We agree not to pursue legal action against individuals or entities who:

  • Engage in testing of systems/research without harming WAM COM or its customers.
  • Engage in vulnerability testing with the scope of our vulnerability disclosure program.
  • Test on practices and procedures without affecting customers, or receiving permission/consent from customers before engaging in vulnerability testing against their systems or devices, etc.
  • Adhere to all local, State, Federal laws of their locations and the location of WAM COM.
  • Refrain from disclosing vulnerability details to the public before the mutually agreed-upon timeframe expires.

Vulnerability Report/Disclosure

What we like to see the following from Vulnerability Report/Disclosure:

  • Well-written reports which lead to higher probability of resolution.
  • Reports which include proof-of-concept for better triage.
  • Include how the bug was found, the impact, and any potential remediation.
  • Include any plans or intentions for public disclosure.
  • Reports that include only crash dumps or other automated tool outputs may receive lower priority.

Response and Remediation

  • A timely response from IST to your email within 24 hours.
  • An open dialogue to discuss issues.
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges which may extend it.
  • Notification when vulnerability analysis has completed each stage of our review.
  • Credit after vulnerability has been validated and fixed.
  • If we are unable to resolve issues or problems, WAM COM may bring in a third party for professional assistance.

Whistle Blowing

To anonymously report an information security program violation or violation of related laws and regulations, please email IST@WAMCOMNV.COM. (We are working with Google to set up a G-Mail account for Whistle Blowing. Updates soon to follow.)

Criteria to prioritize and review submissions:

  • Detailed report made in good faith or based on a reasonable belief.
  • Details of violation (i.e. what, how, why).
  • Details of the reported event, with facts (i.e. who, where, when).
  • The Whistleblower is NOT investigating the alleged violation, or for determining fault or corrective measures.

Response from WAM COM

  • The report will be reviewed by IST.
  • Whistleblower's identity and confidentiality will be protected.
  • Whistleblower will be protected from any form of retaliation and harassment, such as termination, compensation decreases, or poor work assignments and threats of physical harm.
  • Whistleblower can contact Human Resources via email HR@WAMCOMNV.COM to report retaliation.
  • Any retaliation and harassment against whistleblower will result in disciplinary action.
  • Whistleblower's right for protection against retaliation does not include immunity for any wrongdoing alleged in the report.
  • Due process for the whistleblower and the accused parties.
  • Corrective action will be taken to resolve a verified violation followed by review and enhancement of applicable practices, procedures and policies, if necessary and appropriate.
  • Continue Information Security Awareness training and education about whistleblower's rights.






WIRELESS ACCESS MANAGEMENT COMMUNICATIONS