|
| 1 | +# OpenSPP Vulnerability Disclosure Policy |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +OpenSPP welcomes feedback from security researchers and the general public to help improve our security. If |
| 6 | +you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any |
| 7 | +of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what |
| 8 | +we expect, what you can expect from us. |
| 9 | + |
| 10 | +## Systems in Scope |
| 11 | + |
| 12 | +This policy applies to any digital assets owned, operated, or maintained by OpenSPP. |
| 13 | + |
| 14 | +## Out of Scope |
| 15 | + |
| 16 | +- Assets or other equipment not owned by parties participating in this policy. |
| 17 | + |
| 18 | +Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor |
| 19 | +or applicable authority. |
| 20 | + |
| 21 | +## Our Commitments |
| 22 | + |
| 23 | +When working with us, according to this policy, you can expect us to: |
| 24 | + |
| 25 | +- Respond to your report promptly, and work with you to understand and validate your report; |
| 26 | +- Strive to keep you informed about the progress of a vulnerability as it is processed; |
| 27 | +- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and |
| 28 | +- Extend Safe Harbor for your vulnerability research that is related to this policy. |
| 29 | + |
| 30 | +## Our Expectations |
| 31 | + |
| 32 | +In participating in our vulnerability disclosure program in good faith, we ask that you: |
| 33 | + |
| 34 | +- Play by the rules, including following this policy and any other relevant agreements. If there is any |
| 35 | + inconsistency between this policy and any other applicable terms, the terms of this policy will prevail; |
| 36 | +- Report any vulnerability you’ve discovered promptly; |
| 37 | +- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user |
| 38 | + experience; |
| 39 | +- Use only the Official Channels to discuss vulnerability information with us; |
| 40 | +- Provide us a reasonable amount of time (at least 120 days from the initial report) to resolve the issue |
| 41 | + before you disclose it publicly; |
| 42 | +- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope; |
| 43 | +- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum |
| 44 | + required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately |
| 45 | + if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal |
| 46 | + Healthcare Information (PHI), credit card data, or proprietary information; |
| 47 | +- You should only interact with test accounts you own or with explicit permission from the account holder; and |
| 48 | +- Do not engage in extortion. |
| 49 | + |
| 50 | +## Official Channels |
| 51 | + |
| 52 | +Please report security issues via email: [email protected], providing all relevant information. The more |
| 53 | +details you provide, the easier it will be for us to triage and fix the issue. |
| 54 | + |
| 55 | +## Safe Harbor |
| 56 | + |
| 57 | +When conducting vulnerability research, according to this policy, we consider this research conducted under |
| 58 | +this policy to be: |
| 59 | + |
| 60 | +- Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action |
| 61 | + against you for accidental, good-faith violations of this policy; |
| 62 | +- Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for |
| 63 | + circumvention of technology controls; |
| 64 | +- Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would |
| 65 | + interfere with conducting security research, and we waive those restrictions on a limited basis; and |
| 66 | +- Lawful, helpful to the overall security of the Internet, and conducted in good faith. |
| 67 | + |
| 68 | +You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party |
| 69 | +against you and you have complied with this policy, we will take steps to make it known that your actions were |
| 70 | +conducted in compliance with this policy. |
| 71 | + |
| 72 | +If at any time you have concerns or are uncertain whether your security research is consistent with this |
| 73 | +policy, please submit a report through one of our Official Channels before going any further. |
| 74 | + |
| 75 | +> Note that the Safe Harbor applies only to legal claims under the control of the organization participating |
| 76 | +> in this policy, and that the policy does not bind independent third parties. |
0 commit comments