Security Vulnerability Disclosure Policy

Effective date: 23rd of September 2019

ACCEPTANCE TO SECURITY VULNERABILITY DISCLOSURE POLICY

By using our platform, you accept our Security Vulnerability Disclosure Policy, including our Terms and Conditions and Privacy Policy. If you do not agree with our Security Vulnerability Disclosure Policy, Terms and Conditions, or Privacy Policy, you should not proceed in accessing our platform and submitting a security vulnerability information.


DEFINITIONS OF TERMS


  • Security Programs: Security Teams may launch a Security Program and publish a policy designed to guide security researcher in finding security vulnerabilities into a particular service or product. If this security program is private, your participation is entirely optional and subject to non-disclosure by default.

  • Security Researcher: They are commonly known as hackers, white hat hackers, or bug bounty hunters who use the Secuna platform to provide security vulnerability information to different security programs.

  • Security Team: A team of individuals responsible for addressing a product or service's security issues. Depending on the circumstances, this could be an organization's formal security team, a group of volunteers of an open-source project, or an independent volunteer.

  • Security Vulnerability: A software bug that would allow an attacker to perform penetration testing. 

  • Security Vulnerability Information: A bug report or other security vulnerability information, in text, graphics, image, audio,  video, software, hardware, works of authorship of any kind, and information or other material that security researchers provide or otherwise made available through the Secuna platform to a Customer resulting from participation in a security program.

Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible security vulnerability research and disclosure. This policy also sets out our definition of good faith in the context of using our platform, interacting with different users, finding and reporting security vulnerabilities, as well as what you can expect from us in return. To avoid any confusion, we ask you:


  • To play by the rules. This includes following this policy, as well as any other relevant terms or agreements, including the standards set forth by the Security Teams. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
  • To be kind and cordial at all times. Any form of harassment, abusive language, profanity, or threats will not be tolerated in our platform nor tolerate any discrimination based on race, ethnicity, nationality, level of experience, personal and physical appearance, age, religion, gender identity and orientation, political beliefs, or others.
  • To report any security vulnerability you’ve discovered;
  • To make a reasonable faith effort to avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • To keep the details of any discovered security vulnerabilities confidential until they are resolved, according to the Disclosure Policy;
  • To Maintain communication in our platform. Secuna is not liable for any damage caused by communicating or disclosing security vulnerability information outside the platform. So, please do not use emails, social media accounts, or other private ways to communicate a member of a security program in regards to security vulnerabilities or any  related issues, unless they instructed you to do so.
  • To not engage in extortion. Any attempt to obtain bug bounties, money, or services by coercion is strictly prohibited. If you know or have information about a potential security vulnerability or inadvertently come into possession of private data, please promptly ethically initiate the disclosure process as described below.
  • To be patient with the progress of resolving your reported security vulnerability;
  • To not impersonate any users on Secuna. Social engineering attempts to another party trough impersonation of a Secuna employee, another security researcher, or a security team is unauthorized and will not be tolerated.
  • To perform penetration testing only on in-scope targets, and respect systems and activities which are described on out-of-scope;
  • To not farm points. Farming for points or bug bounties are prohibited.
  • To limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information; and
  • To interact only with test accounts you own or with explicit permission from the account holder.

SECURITY VULNERABILITY PROCESSES


Security Vulnerability Submission

Before submitting any potential security vulnerability, always review the policy of the security program very carefully. Security Teams will publish their own policy to give more details and guide security research into a particular target, app, service, or product. These policies may superseded this disclosure policy. A report should be made and submitted to the appropriate security program under our platform if you believe you have found a potential security vulnerability. Your report should include a detailed description and explanation of the discovered security vulnerability with easy-to-follow reproducible steps or a working proof-of-concept (POC). The report will be continuously updated when the vulnerability has been investigated and validated, when more information is being requested from you, or when you have qualified for a bug bounty.


Security Vulnerability Disclosure

By default, the contents of the report will be made available to the Security Team once it is submitted on the Secuna platform and will initially remain private to allow the Security Team sufficient time to publish remediation. Once the report has been closed and resolved, Public disclosure may be requested by Security Researcher. The following events can happen in the Security Vulnerability Disclosure Process:


  • When 90 days have elapsed with the Security Team being unresponsive, unable, or unwilling to respond to your report or provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Security Researcher. We do believe transparency is important in these extreme cases.
  • When the Security Team of any security program has evidence of active exploitation or imminent public harm, they may immediately provide remediation details to the public so that users can take protective action to avoid getting hacked.
  • When the Security Team needs more time to remediate the security vulnerability due to complexity and other factors, an extension can be made so that the report may remain private to ensure that the Security Team has an enough time to remediate the security vulnerability.
  • When both parties are in agreement, the contents of the report can be made public on a mutually agreed deadline.

Private Security Program

Private security programs may send invitations to some security researchers, and participation in these private security programs is subject to strict non-disclosure. Before accepting an invitation, Security Researchers should carefully review any security program policies and non-disclosure agreements necessary for participation.


POLICY ENFORCEMENT

  • If you see a user violating this policy, please reach out to our team at [email protected]
  • If a user breach one of the rules listed above, we will issue a written warning. If the user continues with his/her negative behavior, We will suspend access to the platform for a reasonable period of time. If the user’s behavior remains after the first two measures are taken, we will issue a permanent platform ban.
  • If a user breaks the rules in our platform in a particularly egregious manner, we reserve the right to issue a permanent ban on the platform immediately.

AMENDMENTS

We may revise our Security Vulnerability Disclosure Policy from time to time. When we update our Security Vulnerability Disclosure Policy, we will revise the "Last Updated" date above, inform you via email, and post the new Privacy Policy to our sites.


SECUNA INFORMATION

Secuna is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at [email protected] or follow us on Twitter @SecunaSecurity.