To Be Continued

Vulnerability Disclosure Policy

Last updated: July 2024

Introduction

Reporting

In your report please include details of:

Title
Concise summary categorising the vulnerability, and the site/application where it can be found E.g. Reflected XSS on the XYZ website.

Asset
Web address, IP address, product, service name, etc.

Weakness
Such as a CVE.

Severity
Such as low, medium, high, critical, and the calculated via CVSS.

Description of the Vulnerability
- A summary of the vulnerability
- Supporting files (e.g. screenshot or video)
- Any mitigations or recommendations


Steps to reproduce
- Clear and descriptive steps to reproduce the vulnerability.
- These should be a benign, non-destructive, proof of concept.


Impact
The effects of successfully exploiting the vulnerability.

Contact details
- Name
- Email Address (These details are optional to enable anonymous reporting)


What to expect

...something goes here...

Guidance

You must NOT:
Break any applicable law or regulations.
Access unnecessary, excessive or significant amounts of data.
Modify data in unauthorized systems or services.
Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
Disrupt external services or systems.
Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with "best practice", for example missing security headers.
Submit reports detailing TLS configuration weaknesses, for example "weak" cipher suite support or the presence of TLS1.0 support.
Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
Social engineer, 'phish' or physically attack any affected staff or infrastructure.
Demand financial compensation in order to disclose any vulnerabilities.


You must:
Always comply with data protection rules and must not violate the privacy of any data being held. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services. Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Legalities

...something goes here...