top of page

RESPONSIBLE DISCLOSURE COORDINATION

Found a vulnerability in our or others' systems? Want them fixed? Tell Us

OBJECTIVE

  1. Provide a safe space for vulnerability disclosure; 

  2. Encourage addressing and fixing of discovered vulnerabilities; and 

  3. Develop awareness and provide education on vulnerabilities found to promote a safer cyberspace. 

Responsible Disclosure Coordination: Text

DISCLOSURE STEPS

  1. Vulnerability discoverer notifies Div0 of the discovered vulnerability. 

  2. Div0 works with the vulnerability discoverer, affected system owner(s), and/or through relevant agencies and authorities to address the issues discovered.

  3. Div0 develop educational artefacts e.g. blog post regarding the discovered vulnerability.

Responsible Disclosure Coordination: Text

DIV0'S RESPONSIBLE DISCLOSURE COORDINATION POLICY

PRINCIPLE & INTENT

Div0 ensures all respective system owner(s) and relevant authorities are duly notified and accorded sufficient time to remediate the discovered vulnerability before any disclosure is made public. The intent of the aforementioned is to ensure that affected parties have adequate time to carry out the appropriate amendments without suffering from adverse effects arising from a disclosed vulnerability.

PUBLICATION SCHEDULE

As a rule of thumb, Div0 will develop educational artefacts e.g. a blog post regarding the discovered vulnerability after the vulnerability is remediated. However, to balance the need for the public to be informed of the vulnerability with the need for affected parties to be accorded time to respond effectively, the final publication schedule will be determined at the discretion of Div0.

WINDOW TO RESPOND

Div0 will do its best to notify the affected system owner(s), and relevant authorities. The affected system owner(s), and relevant authorities have 3 weeks (i.e. 21 calendar days) to acknowledge receipt of the first vulnerability notification before a disclosure is made.

OWNERSHIP OF DISCOVERY & RELATED WORK

All rights and ownership over the submitted work shall remain with the owner of the discovery. Div0 does not claim the rights, ownership, nor responsibility for any submitted work.

IDENTIFICATION OF INVOLVED PARTIES

Parties involved may request to have their identities or association withheld from the disclosure of any vulnerability findings. Otherwise, all associated parties may be identified in the educational artefacts.

RULES OF ENGAGEMENT

All vulnerability discovery must follow these rules of engagement. This applies especially to web applications. 

  1. No denial-of-service (DoS) attacks allowed; 

  2. No automated scanning tools allowed, e.g. Nmap, Nessus, Nikto, Hydra; 

  3. No SQL injection allowed; 

  4. No phishing allowed; 

  5. No defacement allowed, e.g. persistent cross-site scripting (XSS); 

  6. No consecutive automated requests exceeding 60 hours; 

  7. All vulnerability shall be reported within 48 hours of discovery; and 

  8. The informant shall document details such as time, activity description, observation, and IP address of the discovery. 

Informants are advised to work with the affected system owner(s) to conduct more pervasive or active vulnerability discovery.

Responsible Disclosure Coordination: List
bottom of page