Published date: June 11, 2026
1. Purpose
X-Formation encourages responsible reporting of potential security vulnerabilities.
The objective of this process is to enable coordinated remediation and responsible disclosure while protecting customers.
2. Scope
This policy applies to:
- X-Formation products, including License Statistics and LM-X License Manager
- Officially distributed installers
- All supported versions (for details, see Security Update & Support Policy)
- Supported integrations and interfaces
The following are outside the scope of this policy:
- Customer customizations
- Unsupported deployments
- Customer infrastructure
- Third-party software not supplied by X-Formation
3. Security Contact
Email: security@x-formation.com.
More contact options are available on the contact page.
4. Reporting a Vulnerability
Reports should contain, where possible:
- Affected component
- Software version
- Vulnerability description
- Reproduction steps
- Expected and observed behavior
- Potential impact
5. Response Targets
| Activity | Target |
|---|---|
| Acknowledgement | 3 business days |
| Initial assessment | 7 business days |
| Status communication | periodic |
| Resolution target | risk-based |
6. Coordinated Disclosure
We follow coordinated vulnerability disclosure principles:
- We request that you do not publicly disclose the issue until a fix is available
- We aim to resolve issues within 90 days, where possible
- We may request an extension if necessary
7. Safe Harbor
We will not take legal action against researchers who:
- Act in good faith
- Avoid privacy violations, data destruction, or service disruption
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
8. Legal Compliance
We handle vulnerability reports in accordance with applicable regulations, including the EU Cyber Resilience Act (CRA).