Vulnerability Disclosure Policy

Vulnerability disclosure
policy

Protecting our systems, and data entrusted to us by our associates, clients and customers is integral to what we do. 

We value the work done by security researchers in making the Internet a safer and more secure space, and have developed this policy using guidance from ISO 29147:2018

If you have identified a security vulnerability in our products, services or systems we would like to work with you to improve our systems. Please review this policy before attempting to test or report a vulnerability.

A security vulnerability is a weakness in a product, service or system that could allow an attacker to compromise the integrity, availability, or confidentiality
of that product, service or system.

Reporting vulnerabilities

You can report any vulnerability you discover in our systems by e-mailing security@rayzig.com. More details on how to contact us, including how to secure your communications, are provided later in this policy.

In all cases, you must:

  • Respect our associates’, clients’ and customer’ privacy. Contact us immediately if you access anyone else’s data, personal or otherwise. This includes usernames, passwords and other credentials. You must not save, store or transmit this information
  • Act in good faith. You should report the vulnerability to us with no conditions attached
  • Work with us. Promptly report any findings to us, stopping after you find the first vulnerability and requesting permission to continue testing. Allow us a reasonable amount of time to resolve the vulnerability before publicly disclosing it
 

And you must not:

    • Exfiltrate data. Instead use a proof of concept to demonstrate a vulnerability
    • Use a vulnerability to disable further security controls
    • Perform social engineering
    • Perform any testing of physical security
    • Break the law, or any agreements you may have with Rayzig or third parties

Testing for vulnerabilities

If you want to actively test our systems for vulnerabilities, you must:

    • Only test systems that are in scope of this policy. These are listed further down in this policy
    • Use a test, or other non-production, environment if it is available to you
    • Only test vulnerabilities using your own accounts, or accounts that you have permission to test with

And you must not:

  • Perform testing likely to provide you with access to someone else’s data
  • Perform testing likely to delete, destroy or corrupt anyone else’s data
  • Perform testing likely to affect other users e.g. denial of service and brute-force attacks, spamming
  • Use automated scanners/fuzzers
  • Test systems not-in-scope of this policy
 

You can help us by:

    • Providing the IP address from which you performed the testing so that we can view logs related to your testing.
    • Clearly identifying your traffic, for example by including a unique custom HTTP header such as X-Rayzig-CVD:<youremail@address>
    • Providing us with detailed information about the vulnerability to help us confirm it eg:
      • The URL of the product, service or system
      • If the vulnerability is in code that Rayzig distributes, the code element name and version number
      • A description of the vulnerability
      • The steps needed to reproduce the vulnerability, any proof-of-concept code
      • Any screenshots Details of the browser and OS used during testing
      • How you prefer to be contacted
      • Any current plans you have to disclose the vulnerability

What we’ll do

Rayzig will:

  • Respond to and acknowledge your report within seven calendar days
  • Ask for any additional information we need to investigate your report
  • Work with you to confirm the vulnerability, the extent to which it affects us, and let you know how long we think the vulnerability will take to fix. Our aim is to fix vulnerabilities within 90 days of confirmation
  • Notify you when the vulnerability has been fixed
  • Where appropriate, release information about the issue to our associates, customers, and clients, or the public to help others determine if they are affected by the vulnerability, and if so, what they need to do
  • Review what went wrong and update our practices and processes to improve our products and services
  • If you wish, acknowledge your assistance to Rayzig on this page
  • Promise not to take legal action against you for accessing (or attempting to access) our systems as long as this policy is followed and you do not cause foreseeable harm
  • Treat your report as confidential, treat your data according to our privacy policy, and not pass your personal data onto any third parties without your permission

 

There are some issues that we may not consider to be security vulnerabilities, but you can still report them to us. We will respond and inform you why we do not consider it to be a security vulnerability. These are largely non-exploitable vulnerabilities or configuration issues, eg:

  • Missing security headers that may be best-practice but do not impact on the security of the system in this instance
  • Support for older, but non-exploitable, protocols and cipher suites such as TLS 1.1.
  • Fingerprinting/version detection
  • Out of date software, with no exploitable vulnerability

 

Communicating with Rayzig

If you are worried about the confidentiality of information sent to Rayzig as part of this process, we recommend you send the information using PGP/GPG. Details of Rayzig’s Public PGP key can be found here.

You may wish to report something to us entirely anonymously. We are happy for you to do this, but it may make it difficult for us confirm the vulnerability and acknowledge your efforts if we are unable to contact you. We may also fail to identify activity if you are anonymous, for example, if you do not wish to
provide us the IP address used to test our systems.

Scope of the policy

This policy is under active development. We are using a limited scope to help us explore what works well and what does not. The scope of the policy will change over time.

Systems in scope

The fully qualified domain names of the systems within scope are listed below. Subdomains not explicitly listed are not in-scope. All systems within scope can be identified by the presence of security.txt within their web root, for example
https://rayzig.com/security.txt.

  • Rayzig.com
  • Test.rayzig.com

 

Systems not in scope

  • All systems not explicitly mentioned as in-scope

 

If you are unsure as to whether a system is in scope, please contact us first.

Rayzig employees and contractors

If you are a Rayzg employee or contractor, use the internal process for reporting incidents, not this external process.

We would like to encourage you to work on security problems that cannot be addressed externally and ensure that your efforts are recognised by our performance management system. For more information contact the information security team.

Hall of fame

Rayzig would like to thank the following people for helping improve the security of our products, services, and systems:

..

..

..