Introduction

At Graphic Packaging International (GPI), maintaining the integrity and security of our digital assets is paramount. While we are committed to addressing all security threats, this policy specifically focuses on external vulnerabilities, particularly those impacting our publicly accessible platforms. We encourage the responsible disclosure of these vulnerabilities to ensure the ongoing security of our systems. We value collaboration with external security researchers – individuals or organizations dedicated to investigating and reporting vulnerabilities that they discover. By identifying vulnerabilities and promptly addressing them, we fortify the security not only of our manufacturing solutions but also safeguard the interests of our valued customers.

Vulnerability Disclosure Policy

This policy guides our interactions with external security researchers ensuring a standardized and ethical approach to vulnerability reporting. Below are the key aspects of our Vulnerability Disclosure Policy.

Eligibility

– You are an external individual security researcher participating in your own individual capacity.

– You work for a security research organization that permits you to participate in your own individual capacity. You are responsible for reviewing, and abiding by, your employer’s rules for participating in this program.

Scope

This policy applies to any digital asset owned, operated, or maintained by GPI, including public websites *.graphicpkg.com.

Please Note

GPI does not offer compensation in exchange for identification of potential issues.

Commitment to Researchers

– Trust: We maintain trust and confidentiality in our engagements with security researchers.

– Respect: We recognize and respect the valuable contributions researchers make to safeguarding our operational integrity.

– Collective welfare: Our approach to resolving issues prioritizes the well-being and security of those potentially impacted by reported vulnerabilities.

What We Ask of Researchers

– Trust: We trust that researchers will communicate about potential vulnerabilities in a reliable manner, providing sufficient details and information for our team to identify and validate potential issues.

– Respect: Refrain from privacy violations and actions that would harm our systems or services by creating a degradation or interruption of such systems or services, including loss or manipulation of data.

– Collective welfare: Please refrain from public disclosure of vulnerabilities before mitigation occurs. Do not engage in social engineering or phishing by targeting our customers and employees.

– Avoid disruptive testing: Please do not engage in any disruptive activities that could compromise confidentiality, integrity or availability of our information and systems.

Vulnerability Reporting Process

If you believe you have found a vulnerability in any digital asset owned, controlled, or operated by GPI, please submit the vulnerability information to GPI through an email to bugreporting@graphicpkg.com.

To enable GPI to investigate and remedy the potential vulnerability, please report it as soon as possible after discovery and provide a detailed summary of the vulnerability including the following information, if known:

– A description of finding and how it was discovered.

– The asset(s) affected.

– Reproduction instructions to enable GPI to validate the vulnerability.

The GPI Security team will conduct a comprehensive investigation and take appropriate action for resolution.