Security Vulnerability Disclosures

This Vulnerability Disclosure Program (VDP) exists to make it as easy as possible for anyone who has identified a security vulnerability in a SEUPB system or service to report to us it so that it can be quickly investigated and addressed.

In terms of this VDP we define a vulnerability as a flaw or weakness with the design, implementation, or operation of our public-facing infrastructure, which is original, hitherto unknown and unreported and could be exploited by a malicious agent to compromise our security.

It’s not a vulnerability if it can’t be exploited (e.g. an old version with no known issues), merely concerns alignment with best practice (e.g. the TTL on an MTA-STS record) or is volumetric (i.e. overwhelming a service with a high volume of requests – please don’t do this).

SEUPB is a publicly funded body and takes security of its IT systems seriously; please note there will be no financial reward for reporting a vulnerability.
 

SEUPB uses the HackerOne platform for processing reports under this program as part of the Northern Ireland government.  Vulnerabilities can be submitted without creating an account, however we recommend creating an account so that you can be kept updated.

To submit a report, you must agree to the HackerOne terms, privacy policy and disclosure guidelines.

When submitting a report, ensure to select SEUPB as the asset so that your report will be correctly allocated internally.

The HackerOne reporting process will guide you through the kind of information you need to include, which should be at least:

• Where the vulnerability was observed.
• A description of the vulnerability.
• The steps needed to reproduce it.
• Some supporting evidence (appropriate logs and screenshots).

We will respond to reports within 5 working days and triage within 10 working days, most likely much sooner.  Priority for remediation is assessed by looking at the impact, severity, and complexity of the exploit.  Where possible, we will keep you updated on our progress and respond to requests for updates, however we ask that this is no more frequent than weekly in order to allow our staff to maintain focus on remediation activities.

It is prohibited to disclose any vulnerabilities found in SEUPB systems or services to third parties or the public before we have remediated the vulnerability.  However, this is not intended to stop you notifying third parties of a vulnerability for whom it is directly relevant (e.g. if a vulnerability being reported resides within a third-party application or library, details of the vulnerability may be reported providing SEUPB is not referenced in such reports).

Once we believe we have remediated the vulnerability, we will notify you and may request that you confirm that the solution is adequate.  At this point, we welcome requests for public disclosure.

If you experience difficulties with this program such as unexplained delays or wish to dispute the result of a triage and believe your discovery presents a genuine risk to SEUPB, you may contact our Belfast office (contact details on our website) and ask to speak to the IT Security Officer.
 

You must not:

• Break any applicable law or regulation.
• Access unnecessary or excessive amounts of data.
• Modify data in SEUPB systems or services.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt any form of denial of service.
• Disrupt SEUPB services or systems in any way.
• Communicate any vulnerabilities or associated details other than by means described herein.
• Perform social engineering, phishing or physically attack SEUPB staff or infrastructure.
• Demand financial compensation to disclose a vulnerability.

You must:

• Properly secure any data retrieved from SEUPB systems or services.
• Preserve privacy of SEUPB users, staff, contractors, services, and systems.
• Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
   

This program is designed to facilitate a cooperative environment where the security community can work with us to protect users and infrastructure without fear of legal consequences.  We are committed to ensuring that individuals who report vulnerabilities in good faith and in accordance with our reporting guidelines are not subjected to legal repercussions and will ensure that responsible disclosure is met with cooperation and appreciation.  Should legal action be initiated by a third party, we will endeavour to make it known that any actions taken were conducted in compliance with this policy.