DIV0'S RESPONSIBLE DISCLOSURE COORDINATION POLICY
PRINCIPLE & INTENT
Div0 ensures all respective system owner(s) and relevant authorities are duly notified and accorded sufficient time to remediate the discovered vulnerability before any disclosure is made public. The intent of the aforementioned is to ensure that affected parties have adequate time to carry out the appropriate amendments without suffering from adverse effects arising from a disclosed vulnerability.
As a rule of thumb, Div0 will develop educational artefacts e.g. a blog post regarding the discovered vulnerability after the vulnerability is remediated. However, to balance the need for the public to be informed of the vulnerability with the need for affected parties to be accorded time to respond effectively, the final publication schedule will be determined at the discretion of Div0.
WINDOW TO RESPOND
Div0 will do its best to notify the affected system owner(s), and relevant authorities. The affected system owner(s), and relevant authorities have 3 weeks (i.e. 21 calendar days) to acknowledge receipt of the first vulnerability notification before a disclosure is made.
OWNERSHIP OF DISCOVERY & RELATED WORK
All rights and ownership over the submitted work shall remain with the owner of the discovery. Div0 does not claim the rights, ownership, nor responsibility for any submitted work.
IDENTIFICATION OF INVOLVED PARTIES
Parties involved may request to have their identities or association withheld from the disclosure of any vulnerability findings. Otherwise, all associated parties may be identified in the educational artefacts.
RULES OF ENGAGEMENT
All vulnerability discovery must follow these rules of engagement. This applies especially to web applications.
No denial-of-service (DoS) attacks allowed;
No automated scanning tools allowed, e.g. Nmap, Nessus, Nikto, Hydra;
No SQL injection allowed;
No phishing allowed;
No defacement allowed, e.g. persistent cross-site scripting (XSS);
No consecutive automated requests exceeding 60 hours;
All vulnerability shall be reported within 48 hours of discovery; and
The informant shall document details such as time, activity description, observation, and IP address of the discovery.
Informants are advised to work with the affected system owner(s) to conduct more pervasive or active vulnerability discovery.