CSCSW Responsible Disclosure Process
This section is for security researchers who are interested in reporting security vulnerabilities on the CSCSW platform. We value the assistance of the security research community and encourage researchers or others to report any potential vulnerabilities in accordance with the guidelines below.
Safe Harbor
We will not pursue legal action against researchers who comply with the CSCSW defined responsible disclosure process.
Reward / Compensation
CSCSW does not operate a bug bounty program and makes no offer of reward or compensation. If you are the first to report a qualifying vulnerability and would like to be included in our Security Researcher Hall of Fame, please provide us with your name and a link for recognition.
Reporting Instructions
We will not pursue legal action against researchers who comply with the CSCSW defined responsible disclosure process.
- Email us at [email protected].
- Report issues promptly and do not attempt to further exploit the system or its data once you have confirmed and documented the issue.
- Include a detailed description of the vulnerability: tools utilized, target, processes, and results.
- Do NOT include any sensitive/personal/non-public data samples, a description of such data is sufficient.
Acknowledgement and Response
When the CSCSW Information Security Team receives a report, we will send an acknowledgement within three business days. Request(s) for further information may be sent as needed. After validation/verification of a vulnerability, additional communications will be sent through resolution.
Timeframe
CSCSW will not negotiate in response to a threat (e.g., a threat of withholding, or threat of releasing the vulnerability to the public). However, we will work with you, and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public. We will not share names or contact data of security researchers unless given explicit consent.
External Vulnerability Reporting
Reporting of vulnerability information to other third parties or vendors will be determined at the discretion of CSCSW.
Responsible Disclosure Guidelines
DO:
- Do cease testing and report the vulnerability or exposure of non-public or sensitive data as quickly as is reasonably possible to [email protected], to minimize the risk of hostile actors finding or taking advantage of it.
- Do provide sufficient information to reproduce the problem so we will be able to resolve it as quickly as possible. Usually, the IP (Internet Protocol) address or the URL (Universal Resource Locators) and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- Do limit testing to CSCSW owned applications as defined in the ‘In-Scope’ section of this policy.
- Do remove any non-public or sensitive data from your system that might have been obtained during testing.
DO NOT:
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, making changes to the system, installing malicious software, or deleting or modifying other people’s data.
- Do not test third-party applications, websites, or services that integrate with, or link to or from CSCSW systems.
- Do not test in a manner which could degrade the operation of CSCSW systems or intentionally impair, disrupt, or disable CSCSW systems.
- Do not build your own backdoor into a system, even if the intention is to demonstrate the vulnerability; doing so can cause additional damage and create unnecessary security risks.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam, phishing, or applications of third parties.
- Do not include any sensitive/personal/non-public data samples in your report, a description of such data is sufficient.
In Scope
All publicly accessible domains, applications, and systems owned by CSCSW and its subsidiaries. If you have any other information you would like to provide to our security team, please do so via the Reporting Instructions.
Out of Scope
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Vulnerabilities that require access to an already compromised user account (unless access to an account exposes other accounts).
- Policies as opposed to implementations, such as email verification or password length or reuse.
- Spam (unless a specific vulnerability leads to easily sending spam).
- Missing security headers or ‘best practices’ (except if you are able to demonstrate a vulnerability that makes use of their absence).
- Distributed Denial of Service attacks (DDoS).
- Social engineering attacks.
- Third party applications we make use of but do not control (e.g., a media library or social media service).
Security Researcher Hall of Fame
CSCSW would like to publicly express our gratitude to the following security researchers for responsibly disclosing vulnerabilities and working with us to remediate them. We truly appreciate your remarkable efforts!