°ÄÃÅÁùºÏ²Ê¸ßÊÖ

Vulnerability Report

°ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization Vulnerability Report Guidelines

Introduction

The purpose of this document (hereinafter referred to as "Guideline") is to provide guidelines to natural or legal persons (hereinafter referred to as "security researcher(s)") conducting vulnerability discovery activities on the °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization's publicly accessible IT system (hereinafter referred to as "IT System") on how to report the related discovered vulnerabilities to the °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization.

This Guideline defines (i) which the IT System and its research activities are concerned, (ii) how to submit vulnerability reports to the °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization, and (iii) the remediation period we ask security researchers to observe.

We encourage you to contact us to report potential vulnerabilities affecting our IT System.

Test methods

THE FOLLOWING TEST METHODS ARE NOT AUTHORIZED:
 

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
  • Do not use automated scanners or tools that generate large amount of network traffic.

Reporting a vulnerability

When you believe you have found a vulnerability of IT System and would like to report it, we ask that you submit a detailed description of the vulnerability without sensitive information by email to it-security to it-security[@]iter[.]org.

°ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization may use your report for any purpose deemed relevant, including without limitation, for the purpose of correcting any vulnerabilities and errors that are reported and that °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization deems to exist and to require correction. To the extent that you propose any changes and/or improvements to an °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization IT Systems in your report, you assign to °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization all use and ownership rights to your report.

You agree not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that vulnerabilities and/or errors has been reported to °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization until our notification to you.

If you submit your contact information, °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization will only use such information to get in touch with you, in case clarification is needed about details of your report, or to thank you for it; therefore, it is important to provide valid contact details such as email address.

Once the vulnerability of IT System has been removed, the security researcher will be notified unless he/she wishes to remain anonymous.

We take security concerns seriously and work to evaluate and address them in a timely manner. Response timelines will depend on many factors, including: the severity, the product affected, the current development cycle, QA cycles, and whether the issue can only be updated in a major release.

By reporting vulnerability findings to the °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization, the security researcher acknowledges that such reporting is provided pro bono and without expectation of financial or other compensation. The security researcher also affirms that neither he/she nor any entity that he/she represents is complicit in human rights abuses, tolerates forced or compulsory labour or use child labour, or does not meet the purposes and principles of the °ÄÃÅÁùºÏ²Ê¸ßÊÖ Organization.

Questions

Questions regarding this policy may be sent to @email