Vulnerability disclosure policy

1. Introduction

Our organisation values the security and integrity of our systems and data. We encourage the responsible disclosure of security vulnerabilities to strengthen our security posture. This policy outlines how to report vulnerabilities and our process for addressing them.

2. Scope

This policy applies to all individuals who discover or suspect a security vulnerability in the Cyberismo software or Cyberismo content, including employees, contractors, and third parties.

3. Reporting Vulnerabilities

• Contact Information:
  • Report any security issues regarding the Cyberismo software via the GitHub security vulnerability reporting channel.
  • Report any security issues not related to the Cyberismo software to security [AT] cyberismo.com. Details for encrypting email communications are available in our RFC 9116 security.txt.
• Information Required: Provide a detailed description of the vulnerability, including steps to reproduce, potential impact, and any relevant screenshots or logs. Please include your contact information for follow-up.
• Confidentiality: All reports are treated confidentially. Do not publicly disclose the vulnerability until we have addressed it and provided guidance on responsible disclosure.

4. Handling and Response

• Acknowledgement: We will acknowledge receipt of your report within 5 working days.
• Evaluation: Our security team will assess the reported vulnerability and determine its severity and potential impact.
• Resolution: We will work to address and resolve the vulnerability in a timely manner. We will provide updates on the status of the resolution process.
• Feedback: We will inform you when the vulnerability has been resolved and provide any relevant details.

5. Responsible Disclosure

• No Exploitation: Do not exploit, attempt to exploit, or publicly disclose the vulnerability until it has been resolved. Responsible disclosure enables us to address the issue promptly and minimises risk.
• Legal Protections: In many jurisdictions, ethical disclosure may be protected by law. However, unauthorised access or activities beyond the agreed scope may be considered unlawful.

6. Recognition

• Acknowledgement: We may recognise individuals who responsibly disclose vulnerabilities in our public security advisories or on our website.
• Rewards: We do not currently offer monetary rewards, but we value and appreciate the contributions made to our security.

7. Policy Review

We will review and update this policy regularly to ensure it remains effective and aligned with best practices.

8. Contact

For any questions about this policy or the disclosure process, please contact security [AT] cyberismo.com.

Effective Date: 2024-09-13