Versión en Español
Scitum’s mission is “To create safe digital environments that contribute to the evolution of society”, therefore, our philosophy is to encourage, support and share both experiences and knowledge, one way to do it is through this vulnerabilities disclosure policy.
We want to work in cooperation with those researchers whose interest is centered on making the cyberspace a safer place, consequently, if you have identified a vulnerability or security flaw in our infrastructure, services, web portals and/or Internet available web applications; and you wish to help, we invite you to share with us what you found.
Through this policy the following types of vulnerabilities will be assisted:
Remote code execution
Bad configurations which lead to the exposure of possible sensitive information
XML External Entity
Indexed active sessions
Web applications logic flaws
Unknown technical vulnerabilities (0 day)
CSRF, authentication issues, “hard coded” credentials
The following vulnerabilities are beyond the scope of this policy and won’t be assisted:
Digital certificate issues
Social engineering attacks
The considered assets for this policy are:
Scitum web portal https://www.scitum.com.mx/
Magazcitum web portal https://www.magazcitum.com.mx/
Resources portal https://resources.scitum.com.mx/
SCILabs blog https://blog.scilabs.mx/
Scitum’s infrastructure exposed to the Internet
If you follow this policy, Scitum will not take legal actions for the discovery of vulnerabilities and/or security breaches if and only if you comply with the following requirements:
You know and are follow the Mexican regulations and legislations
Test without damaging the technological asset
Show the minimum necessary evidence and information to validate the vulnerability
Help by not revealing/posting the vulnerability/security breach during a reasonable time period to allow Scitum to work on its mitigation
You can send us your investigation by email encrypted (view Public Key) to firstname.lastname@example.org, you must include:
Type of detected vulnerability
Description, how did you find it?
Which steps did you follow to find it?
If you used a tool, please mention it
If you found several vulnerabilities, separately report of each one.
We will receive reports in both English and Spanish.
Received reports attention and processing
Scitum will use the following criteria to prioritize and categorize the reports:
Quality and quantity of information that you send us which will allow us to better understand the finding, for instance, you could include the testing code that you used when identifying the vulnerability; the composition and presentation of the report will also be taken into account
Considered risk from the documented findings
Date of the findings
We are committed to:
Investigate all the received reports, Scitum will reply in a maximum time period of 72 hours and will also indicate the time needed to analyze and verify the vulnerability
Contact the researcher for commenting the findings
Notify when we have concluded the analysis of the vulnerability
Credit your work
At the end of the investigation we may publish the joint investigations (with your previous consent) when we are sure that the vulnerability was mitigated, and our asset is no longer at risk. If you decide to directly publish your investigation, we require you to commit to avoid publishing the vulnerability during its research period.
This document was created on January 2020 and will be updated at least each 90 days.