Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Responsible Disclosure page #58

Open
dsernst opened this issue Dec 11, 2023 · 2 comments
Open

Responsible Disclosure page #58

dsernst opened this issue Dec 11, 2023 · 2 comments

Comments

@dsernst
Copy link
Member

dsernst commented Dec 11, 2023
edited
Loading

We discussed yesterday wanting to add a page outlining our philosophy about responsible disclosures.

Contents:

  • What we're asking for and what we're offering re relating to outside security researchers.
  • TBD
@arianabuilds
Copy link
Member

arianabuilds commented Dec 14, 2023
edited
Loading

Draft —

Responsible Disclosure Policy

Introduction

At Secure Internet Voting (SIV), we prioritize the security of our systems and data. We recognize the valuable role that ethical security researchers and our community play in maintaining the security and integrity of our services. This Responsible Disclosure Policy is designed to give clear guidelines on how to responsibly report identified security vulnerabilities.

Scope

This policy applies to any security vulnerabilities you believe you have discovered in any product, service, or system offered by SIV. We request that you do not disclose the vulnerability to the public or third parties in a manner that can cause harm or damage.

Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it to us as soon as possible. We ask that you:

  • Email your findings to [[email protected]].
  • Provide sufficient information to reproduce the vulnerability, so we can resolve it as quickly as possible. Typically, this includes a description of the vulnerability, its potential impact, and a step-by-step guide to reproduce the issue.
  • Avoid exploitation of the vulnerability, e.g., downloading more data than necessary to demonstrate the vulnerability, or deleting or modifying other people's data.

Our Commitment

Upon receiving your report, we commit to:

  • Acknowledging receipt of your report within 72 hours.
  • Investigating the report and working to understand the impact and root cause.
  • Working to address the issue in a timely manner and keeping you informed of our progress.
  • Not pursuing legal action or law enforcement interaction for responsible disclosure.
  • Keeping the communication open and transparent.

Confidentiality

We ask that you keep your findings confidential until we have had a chance to address them. We understand that not all security issues can be immediately fixed and require time to patch. We aim to resolve all issues as quickly as possible, and we ask for your cooperation in maintaining confidentiality during this period.

Recognition

We believe in recognizing the efforts of security researchers who responsibly disclose vulnerabilities. We will acknowledge your contribution in our security update communications, should you wish.

Limitations

While we encourage the reporting of security vulnerabilities, please note:

  • We have not documented all potential attack vectors in our public documentation for security reasons.
  • There may be some vulnerabilities we are already aware of and are in the process of addressing.

Contact Us

For any questions or concerns, please contact [[email protected]].

@arianabuilds
Copy link
Member

arianabuilds commented Dec 14, 2023
edited
Loading

Or something a bit less formal —

Responsible Disclosure at Secure Internet Voting (SIV)

Spot a Security Issue? Let’s Tackle It Together

Intro

We’re all about security at SIV, but nobody's perfect. If you’ve noticed a security problem in our systems, we want to be the first to know. We ask that you don’t share this publicly until we’ve had a chance to fix it.

Got a Security Tip?

Send us a note at [email protected]. Include these details:

  • A clear description of the issue.
  • Steps we can follow to see the problem ourselves.
  • Please avoid actions that could harm the system or data.

Our Promise to You:

  • We’ll acknowledge your email within 72 hours.
  • We’ll investigate thoroughly and work on a fix.
  • No legal action for reports made in good faith.
  • Transparent and ongoing communication.

Confidentiality Matters

We ask for your discretion until the issue is resolved. Some fixes take time, and we’re committed to getting it right.

Credits Where They're Due

We appreciate your help and are happy to give credit in security updates, if you like.

Heads-Up

  • Not every potential issue is in our public docs — that’s for security.
  • We might already be working on something you find.

Questions or Thoughts?

Feel free to reach out at [email protected].

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dsernst @arianabuilds