Issues in scope
Any vulnerability that you find that does not fall under our "Issues not in scope" category. The vulnerability must be:
Demonstrable (You should be able to show a member of our team this vulnerability and
how will impact our services if exploited, theoretical impacts of a vulnerability are not considered in scope)
Vulnerabilities covered by this policy are under the domain *.cybersoc.wales/*, that is cybersoc.wales
and all of its subdomains (that we manage)
Not have been discovered internally or previously reported to us
Issues not in scope
The following issues are ones that you should not report.
- [Distributed] Denial of Service (DOS/DDOS) attacks
- Clickjacking attacks
- Reports that our site does not fully conform to “best-practices” (i.e. missing security headers, email configuration)
Reporting a Vulnerability
Please see the security.txt file for contact details regarding vulnerability reporting.
In your initial correspondence, you should include the following:
- The hostname and page that the vulnerability was found on
- The type of vulnerability (i.e. SQL injection)
- Your contact details
Please avoid sharing specific details about the vulnerability at this stage.
We will ask for more details later on using an encrypted form of communication.
What to expect
After you have submitted your report, we will respond to your report within 5 working days and aim to triage your
report within 10 working days. We'll also aim to keep you informed of our progress.
Guidance for Researchers
Security researchers must not:
- Access unnecessary amounts of user data
- Violate the privacy of CyberSoc or its clients; for example by sharing or not properly securing data retrieved from our systems;
- Modify data in our systems which is not your own;
- Disrupt our services;
Disclose any information regarding the vulnerability found to third-parties before CyberSoc has had the
opportunity to mitigate or fix the vulnerability.
Security researchers must ensure that any data retrieved from our systems is removed from their
possession as soon as it is no longer required or 2 weeks after the vulnerability is resolved, whichever is sooner.
If you require any further clarification on any of the above details, please contact us via the email in the security.txt file.
This policy is designed to be compatible with common vulnerability disclosure good practice.
It does not give you permission to act in any manner that is inconsistent with the law,
or which might cause CyberSoc to be in breach of any legal obligations.
However, if legal action is initiated by a third party against you, and you have complied with this policy,
we can take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep CyberSoc and our clients safe.
This document was last updated on 31st July 2022.