Vulnerability Disclosure Guidelines

Vulnerability Disclosure Guidelines

All technology contains bugs. If you’ve found a security vulnerability affecting ISGroup SRL systems, products, or services, we want to know so we can fix it.

By submitting a vulnerability to ISGroup SRL’s Vulnerability Disclosure Program, you acknowledge that you have read and agreed to these guidelines.

Important: ISGroup SRL does not offer monetary rewards for vulnerability disclosure. Valid contributions will be recognized in our Security Hall of Fame.


Vulnerability Disclosure Philosophy

Finders should…

  • Respect the rules. Operate within the rules set forth by ISGroup SRL’s Security Team, or speak up if in strong disagreement with the rules.
  • Respect privacy. Make a good faith effort not to access or destroy another user’s data.
  • Be patient. Make a good faith effort to clarify and support their reports upon request.
  • Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

The ISGroup Security Team will…

  • Prioritize security. Make a good faith effort to resolve reported security issues promptly and transparently.
  • Respect Finders. Give finders public recognition for their contributions via the ISGroup Security Hall of Fame.
  • Reward research appropriately. While ISGroup does not provide financial bounties, we will give prominent public credit for valid findings.
  • Do no harm. Not take unreasonable punitive actions against finders, such as legal threats or law enforcement referrals, when guidelines are followed.

Safe Harbor

We are committed to protecting the interests of Finders. Vulnerability disclosure is inherently complex, but the closer a Finder’s behavior aligns with these guidelines, the more we will be able to protect you if a difficult disclosure situation escalates.


Submission Process

  1. Review the program policy before submission, as it supersedes these guidelines in case of conflict.
  2. If you believe you have found a vulnerability, please submit a detailed report to: security@isgroup.it
    The report should include:
    • A clear description of the issue.
    • Concise, reproducible steps or a working proof-of-concept.
    • Expected impact.
  3. Reports lacking detail may cause significant delays in remediation.

The report will be updated with major milestones, including:

  • Validation of the vulnerability.
  • Requests for additional information.
  • Notification of inclusion in the Hall of Fame, if applicable.

Vulnerability Disclosure Process

  • Default: If neither party raises an objection, report contents will be made public within 30 days after remediation.
  • Mutual agreement: Finder and ISGroup may agree on a custom disclosure timeline.
  • Protective disclosure: If evidence of active exploitation or imminent harm exists, ISGroup may immediately publish remediation details.
  • Extension: Some vulnerabilities may require more than 30 days to remediate; ISGroup will remain in communication with the Finder.
  • Last resort: If 180 days have passed without ISGroup providing a disclosure timeline, the Finder may disclose publicly.

Private Programs

Some Finders may be invited to private programs. Participation is optional and subject to strict non-disclosure. Finders wishing to publicly disclose should not join private programs.

Alternatives:

  • Submit directly to ISGroup outside of the program.
  • Use a trusted third party for disclosure assistance.

Public Recognition

You may receive public recognition in the ISGroup Security Hall of Fame if:

  1. You are the first to report a specific vulnerability.
  2. The vulnerability is confirmed as valid.
  3. You comply with these guidelines.

Finders who prefer anonymity may request pseudonym recognition.


Bug Bounty Policy

ISGroup SRL does not provide monetary rewards for vulnerability reports. Recognition will be through the Hall of Fame only.
We welcome participation from minors; however, bounties are not applicable. Minors will still receive public recognition with parental or guardian consent.


Definitions

  • Security Team: Individuals responsible for addressing security issues in ISGroup systems.
  • Finder: Anyone who investigates and reports a potential security issue.
  • Report: Finder’s written description of a potential vulnerability.
  • Vulnerability: A bug or design flaw allowing an action against the intended security policy.
  • Program: ISGroup’s published policy guiding security research.

Una risposta

  1. […] rewards, we believe in giving public credit to the talented individuals and teams who follow our Vulnerability Disclosure Guidelines and act in good faith to improve security for […]