CVD Policy

Coordinated Vulnerability Disclosure Policy

Gleason Corporation (and all affiliates, divisions, and branch offices, which shall be referred to, collectively, as “we,” “our,” “us,” or the “Company”) is committed to ensuring the security of our products, solutions, and systems.  We appreciate the work of customers, security researchers, and other reporters (referred to herein as “you”) who help identify vulnerabilities.  This Coordinated Vulnerability Disclosure Policy (“Policy”) describes our process for handling reported security vulnerabilities.

Our Commitments to You

We will review and investigate any reported vulnerability.  The Company will not pursue legal action for reporters who report vulnerabilities in good faith, in accordance with this Policy, and in a manner that does not cause harm to our employees, products, solutions, systems, customers, or other business partners.  The Company will not require any reporter to sign a non-disclosure agreement as a condition to making a report.

Reporting Channels and Encryption

To report any suspected vulnerabilities, please use the reporting channels described below.  We ask that you send any confidential information in encrypted form, if possible.

All reports should include a technical description of the vulnerability, its impact, and the identity of any affected products, solutions, or systems, as well as steps to reproduce, mitigating factors, and/or available fixes, and any available information on the publicity of the vulnerability and any exploitation thereof.

What We Consider a Valid Vulnerability

A report should meet the following criteria:

  • It directly affects a product, solution, or system of the Company;
  • The information is not yet publicly known; and
  • The report is not merely the result of automated scans without accompanying documentation or analysis.

Code of Conduct for Reporters

The Company expects you to act responsibly.

  • Do not abuse the vulnerability you have discovered (g., do not access more data than is necessary for demonstration purposes).
  • Do not carry out attacks that impair availability (g., DoS, spam) or social engineering against our employees.
  • Do not manipulate or compromise third-party systems or data.
  • Avoid any adverse impact to the safety or privacy rights of our employees or third parties.
  • Comply at all times with applicable laws and regulations in connection with your security research activities and reporting.

Process Flow and Response Times

If you provide your contact details, we will confirm receipt of your report via a non-automated message within five (5) business days of the report.  We will endeavor to respond in more detail to your report and remediate any confirmed vulnerability as soon as practicable, but the exact timeline to respond will depend on the relevant circumstances.

Completion and Acknowledgment

The CVD process is considered complete when the vulnerability has been fixed and publicly disclosed, or when the reports have been proven to be unfounded.  The Company follows the principle of coordinated disclosure.  We request that you do not disclose vulnerability details to the public until a fix or mitigation is available.  The Company does not offer any monetary compensation for vulnerability disclosures; however, we may credit you for discovering certain vulnerabilities upon mutual written agreement.

Privacy

Please note that we will handle any personal or contact information submitted to us in accordance with our Privacy Policy which is available here: https://www.intra-aerospace.com/en/privacy-policy.

 

Policy

Issue Number

Description of Change

Effective Date

Coordinated Vulnerability Disclosure Policy

1

Initial Change

[July 10, 2026]