drive/policies/RDP.tex

106 lines
7.2 KiB
TeX
Raw Normal View History

2020-11-15 17:43:56 +01:00
\documentclass[10pt]{article}
\usepackage[utf8]{inputenc}
\usepackage{geometry}
\geometry{a4paper}
\usepackage{graphicx}
\usepackage{booktabs}
\usepackage{array}
\usepackage{paralist}
\usepackage{verbatim}
\usepackage{subfig}
\usepackage{fancyhdr} % This should be set AFTER setting up the page geometry
\pagestyle{fancy} % options: empty , plain , fancy
\renewcommand{\headrulewidth}{0pt} % customise the layout...
\lhead{}\chead{}\rhead{}
\lfoot{}\cfoot{\thepage}\rfoot{}
%%% SECTION TITLE APPEARANCE
\usepackage{sectsty}
\allsectionsfont{\sffamily\mdseries\upshape}
%%% ToC (table of contents) APPEARANCE
\usepackage[nottoc,notlof,notlot]{tocbibind} % Put the bibliography in the ToC
\usepackage[titles,subfigure]{tocloft} % Alter the style of the Table of Contents
\renewcommand{\cftsecfont}{\rmfamily\mdseries\upshape}
\renewcommand{\cftsecpagefont}{\rmfamily\mdseries\upshape} % No bold!
%%% END Article customizations
%%% The "real" document content comes below...
\title{Responsible Disclosure Policy}
\author{Zeus WPI}
%\date{} % Activate to display a given date or no date (if empty),
% otherwise the current date is printed
\renewcommand*{\theenumi}{\thesection.\arabic{enumi}}
\renewcommand*{\theenumii}{\theenumi.\arabic{enumii}}
\usepackage{hyperref}
\begin{document}
\maketitle
We place a great deal of importance in making sure that our applications, infrastructure and information is safe. We take all the steps necessary, to our knowledge, to make sure this is the case. Yet we are still humans, as such it is perfectly possible that an application or part of our infrastructure contains an unexpected security risk. If you come across such a risk, it is imperative that you signal this to us as quick as possible, so that we may contain, limit and remedy to security risk. \emph{This responsible disclosure policy is applicable to all applications and infrastructure managed and under control of Zeus WPI.}
The security risk, data leak, compromised infrastructure, etc will be henceforth referred to as `the vulnerability', while the person (or persons) reporting the vulnerability to Zeus WPI, will be referred to as `the reporter'.
\section{Our promises}
\begin{enumerate}
\item If the reporter abides by the rules and guidelines outlined in this document, no legal actions of any kind will be taken against the reporter, by Zeus WPI. This is under the assumption that no applicable laws were broken, at which point Zeus WPI is obligated to notify the relevant authorities.
2020-11-15 17:43:56 +01:00
\item During the process of resolving the vulnerability, the reporter will be kept in the loop and updated on the progress Zeus WPI makes towards resolving the vulnerability.
\item After taking notice of the vulnerability Zeus WPI will do everything in its power to resolve the vulnerability as quick as possible. The reporter can expect a response within seven days, of initially bringing the attention of Zeus WPI to the vulnerability.
\item After the vulnerability has been resolved, the reporter is free to publish about the vulnerability and the way they discovered it.
\item However Zeus WPI would appreciate if they could review the publication before it is made public, in order to verify the correctness of the publication. If the vulnerability is particularly interesting Zeus WPI can offer the reporter to write a publication for the blog managed by Zeus WPI.
\item If desired, the reporter can choose to remain anonymous. However, in such a case, Zeus WPI cannot be held responsible if the reporter is (or can be) identified via the submitted data and/or information.
2020-11-15 17:43:56 +01:00
\end{enumerate}
\section{Our expectations}
\begin{enumerate}
\item The reporter is expected to notify Zeus WPI as quickly as possible after discovering the vulnerability.
\item The reporter is expected to contact Zeus WPI via a medium that allows two-way communication. This way Zeus WPI can keep the reporter in the loop.
\item When notifying Zeus WPI of a vulnerability, the reporter is expected to have read the \emph{responsible disclosure policy} (this document).
\end{enumerate}
\section{Applicable rules}
\begin{enumerate}
\item The reporter keeps the vulnerability confidential until Zeus WPI has had a change to resolve the vulnerability. This implies that the reporter does not communicate about the vulnerability and does not make any publications until Zeus WPI has remedied the vulnerability.
2020-11-15 17:43:56 +01:00
\item The reporter does not abuse the situation; this implies the following:
\begin{itemize}
\item The reporter only does the absolute minimum that is required to determine the vulnerability.
\item The reporter reads and/or copies as little data as needed to highlight the vulnerability.
\item Since most applications developed, run and managed by Zeus WPI are open-source, Zeus WPI expects that further testing is done on a privately run instance. These privately run instances, can be used as a sandbox, without posing a risk to the data and information held in production.
\end{itemize}
\item The reporter does not perform any of the following actions:
\begin{itemize}
\item Placing malware, of any kind, in the vulnerability.
\item Removing, altering, adding or copying data.
\item Make changes to the system that the vulnerability runs ons.
\item Reinforce the vulnerability, with the intention of (re-)using it a later time.
2020-11-15 17:43:56 +01:00
\item Repeatedly gain access to the vulnerability, or share this access with others.
\item Using automated scanning tools on production-instances of our applications. On privately run instances this is allowed, since they operate as a sandbox.
\item Using brute-force to gain access to systems managed by Zeus WPI.
\item Using social-engineering to gain access to systems managed by Zeus WPI.
\end{itemize}
\item The reporter will not execute any type of attack that compromises physical security. These type of attacks include but are not limited to: breaking into buildings, using a computer when a member has forgotten to log out or is absent for a few moments.
\item The reporter will not use (or abuse) vulnerabilities to perform attacks, such as distributed denial-of-service (ddos), spam or others, on other systems managed by Zeus WPI or third party systems.
\item All data and information the reporter has obtained, should be immediately deleted after reporting the vulnerability.
\end{enumerate}
\section{Signalling us}
If a vulnerability is discovered the reporter can send an email to \href{mailto:admin@zeus.ugent.be}{admin@zeus.ugent.be}. Alternatively the reporter can send a private message to one of the elected system-administrators via the chat platform managed by Zeus WPI. The currently elected system-administrators (as well as the rest of the board) can be found on \url{https://zeus.ugent.be/about/about/}{https://zeus.ugent.be/about/about/}. If the reporter prefers and end-to-end encrypted medium for communication, they can contact the system-administrators to arrange this.
\section{Origins}
This text is derived from `VRT-beleid van gecoördineerde bekendmaking van kwetsbaarheden' written by the VRT (Vlaamse Radio \& Televisie - Flemish Radio \& Television) and translated into English by Zeus WPI. The document by VRT in turn was based on `Responsible Disclore' by Floor Terra, released under the \emph{Creative Commons Attribution 3.0} license.
\end{document}