Vulnerability Response Programme

Overview

At Digital Control Room, security is central to our services.  We recognise the critical role that the security research and vulnerability testing community plays in ensuring the safety of our services. Our Vulnerability Response Programme (VRP) is designed to facilitate collaboration with researchers about potential vulnerabilities in our systems, establish rules for vulnerability testing and provide a Safe Harbour for our VRP participants.

Vulnerability Reporting

DCR uses HackerOne to manage and validate properly disclosed vulnerability reports.

If you believe you have discovered a security vulnerability in any of our products or services, we encourage you to submit a report while ensuring confidentiality at all times.

Our Commitment

When you report a vulnerability to us, we commit to:

  • Acknowledgment: Confirm our receipt of your report on a timely basis.
  • Assessment: Conduct a thorough assessment of the reported vulnerability.
  • Credit: Work with HackerOne to provide public recognition for your contribution if you so request.

 

Safe Harbour

Testing activities conducted in accordance with the VRP are protected by a Safe Harbour, meaning that we will not take legal action against researchers who discover and report vulnerabilities in accordance with this VRP. If a third party takes legal action against you in connection with your activities conducted in accordance with our VRP rules, we will make it known that your actions were conducted in compliance with our VRP.

In operating this VRP, any failure or delay by us to exercise any of our rights and interests will not operate as a waiver of the same.  Additionally, should anyone violate our VRP rules, we will retain all of our legal and equitable rights and other remedies, including the rights to seek injunctive relief, specific performance and other equitable relief.

VRP Rules

This VRP should not be interpreted as encouragement or permission to hack, penetrate or otherwise attempt to gain unauthorised access to our applications, systems or data. To avoid any confusion between good-faith reporting and a malicious attack, we ask that you:

  • Promptly report any suspected or confirmed vulnerability you’ve discovered in accordance HackerOne’s Disclosure Guidelines;
  • Keep the details of any discovered vulnerabilities strictly confidential, and do your utmost to avoid privacy violations, destruction of data, and interruption or degradation of our service;
  • Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact;
  • Cease testing and submit a report immediately if a vulnerability provides unintended access to data, e.g. if you encounter any user data, personal data or confidential or proprietary information;
  • Provide us with a reasonable amount of time to remediate vulnerabilities;
  • Only interact with accounts you own or with explicit permission from the account holder;
  • Perform your VRP activities for the sole purpose of identifying vulnerabilities, and in particular do not:
    • violate any national or local laws or regulations;
    • violate the privacy of others, disrupt our systems, destroy data and/or harm the user experience;
    • conduct activities which could harm our interests or those of our users, including any social engineering (e.g., phishing, vishing, smishing);
    • discuss the VRP or any vulnerabilities (even resolved ones) outside of the program without our written consent
    • test for or submit vulnerabilities on unscoped subdomains without the prior written authorization of the program team

When reporting vulnerabilities, please consider the attack scenario/exploitability, and security impact of the bug. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, it will not be eligible for a reward.

In Scope

Please note that ONLY the following addresses are in scope, and everything else is out of scope.:

  • dcrtesting.com
  • https://form.hackerone.dcrtesting.com/
  • https://portal.hackerone.dcrtesting.com/
  • https://policy.hackerone.dcrtesting.com/

 

Out of Scope

The following issues are considered out of scope: https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings

Rewards

This VRP operates exclusively through HackerOne, and rewards will only be given in conjunction with our HackerOne programme.

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). When duplicate reports occur, we only award the first report that was received (provided that it can be fully reproduced). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Please note these are general guidelines, and reward decisions are at our discretion.