LAST UPDATED: AUGUST 27, 2023

Secure Ideas Disclosure Policy

Introduction

Secure Ideas is committed to the security of our clients and students. This document serves as a formalized process outlining how vulnerabilities related to our public-facing internet presence should be disclosed. The policy is designed to be in line with the intent of RFC 9116 Section 2.5.7.

Scope

This policy applies to vulnerabilities that are directly related to our public-facing internet presence and owned by Secure Ideas, LLC. For vulnerabilities pertaining to software owned and managed by a third party (e.g., SaaS), those should be reported to the appropriate third party.

Reporting a Vulnerability

Please submit vulnerability reports via email to security@secureideas.com. Reports may be submitted anonymously. We will acknowledge receipt of your report within three (3) business days.

Authorization

Conducting research in good faith and complying with this policy authorizes your activities. Legal action will not be pursued against researchers abiding by these terms.

Guidelines

  • Notify us as soon as possible upon discovery of a potential security issue.
  • Make every effort to avoid privacy violations and data manipulation.
  • Use exploits only to confirm a vulnerability's presence.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Test Methods NOT Authorized

  • Denial of service tests
  • Physical testing, social engineering
  • Non-technical vulnerability testing

Verification Process

Upon receiving a vulnerability report, a Secure Ideas security consultant will be responsible for verifying the reported vulnerability.

Internal Coordination

Internal coordination will be handled by senior management, reflecting the company's small size.

External Coordination

We will coordinate with vendors, customers, and applicable third parties when handling a vulnerability.

Disclosure Details

Due to the sensitive nature of our work and our clients, we will minimize public communication regarding vulnerabilities unless necessary. Further details will be coordinated with the reporting party.

Timeframes

  • Acknowledgment of receipt: Within 3 days
  • Verification and Remediation: To be determined on a case-by-case basis

No-Bounty by Default

Secure Ideas does not operate a traditional bug bounty program and generally does not offer monetary rewards for vulnerability disclosure. However, in exceptional cases where the vulnerability poses an imminent threat to client data, a discretionary reward may be considered.

Bounty Exceptions and Exclusions

  • Imminent Threat: Monetary rewards are reserved exclusively for vulnerabilities that present a direct and immediate threat to the security of client data. The determination of what constitutes an 'imminent threat' is at the sole discretion of Secure Ideas.

  • Pre-existing Knowledge: Vulnerabilities that are already known to Secure Ideas and are in the process of being addressed are not eligible for rewards.

  • Low Impact: Issues that are of low impact or are considered to be 'informative' or 'best practices' but do not pose a security risk are also not eligible for rewards.

  • Third-Party Software: Vulnerabilities found in third-party software or services are not eligible for a reward and should be reported directly to the third party.

Policy Update

This policy will be reviewed annually and updated as necessary.