| 1. | Know Your Rights, which can be found | |
| 2. | USERRA poster, which can be found | |
| 3. | Pay transparency non-discrimination provision poster, which can be found | |
| 4. | E-verify which can be found | |
| 5. | IER Right to Work Poster, which can be found |
Responsible Vulnerability Disclosure Policy
At Artech, and all its subsidiaries (collectively “Artech”), we take the security of our systems, networks, client environments, and confidential and proprietary data very seriously. As a global provider of IT staffing, consulting, and project services, we work with sensitive information and mission-critical systems every day. Artech is committed to protecting this information and adheres to a proactive continuous improvement approach to information security.
We value the information security community’s efforts to help identify and address vulnerabilities that could impact our business operations or the clients we serve. If you believe you have discovered a security vulnerability within our corporate systems, portals, or other technology assets, we encourage you to report it to us responsibly. This Responsible Vulnerability Disclosure Policy (the “Policy”) is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This Policy describes what systems and types of research are covered under this Policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly, and Artech will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Guidelines
Under this Policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Scope of Policy
This Policy applies to the following Artech systems:
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Spam or non-security-related issues are also excluded from scope of this Policy. Additionally, vulnerabilities found in systems from our clients or vendors fall outside of this Policy’s scope and should be reported directly to the client/vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@artech.com before starting your research. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We may increase the scope of this Policy over time as business needs and practices require.
Prohibited Test Methods
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
- Any test method which violates local, state, United States, or international law.
How to Report a Vulnerability
Information submitted under this Policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Artech, we may share your report with the appropriate law enforcement or government agencies, where it will be handled under their coordinated vulnerability disclosure process. Artech will not share your name or contact information without express permission. Reports may be submitted anonymously.
Please send all reports to security@artech.com and include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Any relevant screenshots or proof-of-concept details
- Your contact information for follow-up (optional if you wish to remain anonymous)
We ask that you:
- Do not access, alter, or delete data belonging to Artech, our employees, or our clients
- Avoid service disruptions to our business or client operations
- Comply with applicable laws while testing
Our Commitment to You
When you report a vulnerability:
- We will acknowledge receipt within five (5) business days.
- We will review and verify the reported issue promptly.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including issues or challenges that may delay resolution.
- To the best of our ability, we will maintain an open dialogue to discuss issues.
If you consent, we will publicly acknowledge your contribution after the issue is resolved.
Safe Harbor
We will not initiate legal action against individuals who:
- Report vulnerabilities to us in good faith
- Follow the guidelines outlined in this Policy
- Do not exploit vulnerabilities beyond the minimal amount needed to demonstrate the finding of vulnerabilities in accordance with this Policy.
Questions
Thank you for helping us protect our systems, our people, and our clients. Your contributions strengthen our ability to provide secure, reliable services. Questions regarding this Policy may be sent to security@artech.com. We also invite you to contact us with suggestions for improving this Policy.
