Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

RESPONSIBLE DISCLOSURE COORDINATION PROGRAMME

Found a vulnerability in ours or others' systems? Tell us!

Div0 runs a Responsible Disclosure Coordination Programme which facilitates the conduct of responsible disclosure.

OBJECTIVE

The objective of Div0's Responsible Disclosure Coordination Programme is to: 

 

  1. Provide a safe space for vulnerability disclosure; 

  2. Encourage addressing and fixing of discovered vulnerabilities; and 

  3. Develop awareness and provide education on vulnerabilities found to promote a safer cyberspace. 

COORDINATION WORKFLOW

  1. Vulnerability discoverer notifies Div0 of the discovered vulnerability. 

  2. Div0 works with the vulnerability discoverer, affected system owner(s), and/through relevant authorities to address the issues discovered. 

  3. Div0 develop educational artefacts e.g. blog post regarding the discovered vulnerability.

DIV0'S RESPONSIBLE DISCLOSURE COORDINATION POLICY

PRINCIPLE & INTENT

Div0 ensures all respective system owner(s), and relevant authorities are duly notified and accorded sufficient time to remediate the discovered vulnerability before any disclosure is made public. The intent of the aforementioned is to ensure that affected parties have adequate time to carry out the appropriate amendments without suffering from adverse effects arising from a disclosed vulnerability. 

PUBLICATION SCHEDULE

As a rule of thumb, Div0 will develop educational artefacts e.g. a blog post regarding the discovered vulnerability after the vulnerability is remediated. However, to balance the need for the public to be informed of the vulnerability with the need for affected parties to be accorded time to respond effectively, the final publication schedule will be determined at the discretion of Div0. 

WINDOW TO RESPOND

Div0 will do its best to notify the affected system owner(s), and relevant authorities. The affected system owner(s), and relevant authorities have 3 weeks (i.e. 21 calendar days) to acknowledge receipt of the first vulnerability notification before a disclosure is made. 

OWNERSHIP OF DISCOVERY & RELATED WORK

All rights and ownership over the submitted work shall remain with the owner of the discovery. Div0 does not claim the rights, ownership, nor responsibility for any submitted work. 

IDENTIFICATION OF INVOLVED PARTIES

Parties involved may request to have their identities or association withheld from the disclosure of any vulnerability findings. Otherwise, all associated parties may be identified in the educational artefact. 

RULES OF ENGAGEMENT

All vulnerability discovery must follow these rules of engagement. This applies especially to web applications. 

 

  1. No denial-of-service (DoS) attacks allowed; 

  2. No automated scanning tools allowed, e.g. Nmap, Nessus, Nikto, Hydra; 

  3. No SQL injection allowed; 

  4. No phishing allowed; 

  5. No defacement allowed, e.g. persistent cross-site scripting (XSS); 

  6. No consecutive automated requests exceeding 60 hours; 

  7. All vulnerability shall be reported within 48 hours of discovery; and 

  8. The informant shall document details such as time, activity description, observation, and IP address of the discovery. 

Informants are advised to work with the affected system owner(s) to conduct more pervasive or active vulnerability discovery.