1
0
Fork 0
forked from ZeusWPI/drive
drive/varia/responsible_disclosure_policy_en.md

40 lines
3 KiB
Markdown
Raw Normal View History

# Responsible Disclosure Policy
We believe it is important for our infrastructure and information to be secure. We do our best to ensure this, but of course, it can always happen that unexpected security issues arise. Please let us know as soon as possible if you discover any, so we can fix them. This Responsible Disclosure policy applies to all Zeus systems.
## What We Promise/Offer
- If you adhere to the following rules and do nothing illegal, we will not take legal action against you.
- During the process of resolving the issue, we will keep you updated on the progress.
- We aim to resolve the issue as quickly as possible and will respond to the report within 7 days.
- After the security issue is resolved, you may publish information about it. It would be great if we could review this before you publish it, to ensure all information is accurate. If it is a cool security issue, there is an option to write a blog post about it that can be published on the Zeus blog.
- If desired, anonymity in reporting security issues is possible. The reporter is responsible for maintaining their anonymity.
## What We Expect From You
- Report the discovery of an issue as soon as possible after finding it.
- Contact us in a way that allows us to reach you as well.
- Confirm that you have read this Responsible Disclosure Policy.
## Applicable Rules
- Do not make the vulnerability public and do not communicate about it with others until we have resolved the issue.
- Do not abuse the situation: only do the minimum necessary to confirm the vulnerability exists and do not delete, modify, read, or copy more data than necessary to demonstrate the issue. Most of our applications are open source, so we expect you to test any vulnerabilities on instances you set up yourself, not on production instances.
- Do not engage in the following actions:
- Installing malware.
- Copying, modifying, or deleting data in a system.
- Making changes to the system.
- Repeatedly accessing the system or sharing access with others.
- Using automated scanning tools on production instances of our applications. You may use these on your own local instances.
- Attempting to brute-force access to systems.
- Using denial-of-service or social engineering tactics.
- Do not use attacks on physical security, social engineering, distributed denial-of-service, spam, or third-party applications.
- Delete all data obtained through the vulnerability immediately after reporting it.
## How to Contact Us
Send an email to admin@zeus.ugent.be or a private message to one or more elected system administrators via our chat platform. If you prefer to communicate via an end-to-end encrypted communication platform, you can also contact the system administrator to arrange this.
This text is a derived work from "VRT-beleid van gecoördineerde bekendmaking van kwetsbaarheden" by the VRT, which was itself based on "Responsible Disclosure" by Floor Terra, used under a Creative Commons Attribution 3.0 license.
Last modified: 2020-11-17