Vulnerability disclosure policy

Scitum
SCILabs

Versión en Español

Introduction

Scitum’s mission is “To create safe digital environments that contribute to the evolution of society”, therefore, our philosophy is to encourage, support and share both experiences and knowledge, one way to do it is through this vulnerabilities disclosure policy.

Objective

We want to work in cooperation with those researchers whose interest is centered on making the cyberspace a safer place, consequently, if you have identified a vulnerability or security flaw in our infrastructure, services, web portals and/or Internet available web applications; and you wish to help, we invite you to share with us what you found.

Scope

Through this policy the following types of vulnerabilities will be assisted:

  • Remote code execution
  • Buffer overflow
  • SQL injection
  • Bad configurations which lead to the exposure of possible sensitive information
  • Cross-site scripting
  • Insecure deserialization
  • XML External Entity
  • Indexed active sessions
  • Web applications logic flaws
  • Unknown technical vulnerabilities (0 day)
  • CSRF, authentication issues, “hard coded” credentials
  • The following vulnerabilities are beyond the scope of this policy and won’t be assisted:

  • Human factor
  • Digital certificate issues
  • Social engineering attacks
  • DoS attacks
  • The considered assets for this policy are:

  • Scitum web portal https://www.scitum.com.mx/
  • Magazcitum web portal https://www.magazcitum.com.mx/
  • Resources portal https://resources.scitum.com.mx/
  • SCILabs blog https://blog.scilabs.mx/
  • Scitum’s infrastructure exposed to the Internet
  • Legal considerations

    If you follow this policy, Scitum will not take legal actions for the discovery of vulnerabilities and/or security breaches if and only if you comply with the following requirements:

  • You know and are follow the Mexican regulations and legislations
  • Test without damaging the technological asset
  • Show the minimum necessary evidence and information to validate the vulnerability
  • Help by not revealing/posting the vulnerability/security breach during a reasonable time period to allow Scitum to work on its mitigation
  • Communication mechanisms

    You can send us your investigation by email encrypted (view Public Key) to vulnerability_disclousure@scitum.com.mx, you must include:

  • Your name
  • Your nickname/handle
  • E-mail
  • Type of detected vulnerability
  • Title
  • Description, how did you find it?
  • Which steps did you follow to find it?
  • If you used a tool, please mention it
  • Attachments

  • If you found several vulnerabilities, separately report of each one.

    We will receive reports in both English and Spanish.

    Received reports attention and processing

    Scitum will use the following criteria to prioritize and categorize the reports:

  • Quality and quantity of information that you send us which will allow us to better understand the finding, for instance, you could include the testing code that you used when identifying the vulnerability; the composition and presentation of the report will also be taken into account
  • Considered risk from the documented findings
  • Date of the findings

  • We are committed to:

  • Investigate all the received reports, Scitum will reply in a maximum time period of 72 hours and will also indicate the time needed to analyze and verify the vulnerability
  • Contact the researcher for commenting the findings
  • Notify when we have concluded the analysis of the vulnerability
  • Credit your work

  • At the end of the investigation we may publish the joint investigations (with your previous consent) when we are sure that the vulnerability was mitigated, and our asset is no longer at risk. If you decide to directly publish your investigation, we require you to commit to avoid publishing the vulnerability during its research period.


    Revision

    This document was created on January 2020 and will be updated at least each 90 days.