Vulnerability Disclosure Process Policy
Scope
This policy applies to all Sureway Employment & Training’s systems and services, including web applications, internal and external systems, infrastructure, cloud services, and third-party services or dependencies. It also covers vulnerabilities identified by third-party security researchers, contractors, or partners within our environment.
Disallowed Activities
To ensure the integrity of the program, there are several activities that are not permitted under this Program. The following types of research are not permitted:
· Social engineering or phishing
· Denial of Service (DoS) or Distributed DoS (DDoS) attacks
· Physical attacks
· Attempts to modify or destroy data
· Clickjacking
· Accessing or attempting to access accounts or data that does not belong to you
· Any activity that violates any law
· Posting, transmitting, uploading, linking to, or sending any malware
· Automated vulnerability scan reports (unless providing pen testing)
· Leverage deceptive techniques
· Exfiltrating any data under any circumstances
· Testing third-party websites, applications, or services that integrate with services or products
· Lack of Secure or HTTP Only flags on non-sensitive cookies
· Usage of a known vulnerable library or framework without valid attack scenario
· Misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
Security.txt
Sureway Employment & Training maintains a Security.txt file at https://www.sureway.com.au/.well-known/security.txt, which provides information on how to report security vulnerabilities and contact our security team.
Vulnerability Disclosure Process:
1. Reporting a Vulnerability
Vulnerabilities can be reported to Sureway Employment & Training through the following channel: Dedicated Security Email:
2. Information to Include in Report
- A detailed description of the vulnerability, including affected components (e.g., web app, API, server).
- Steps to reproduce the issue, including screenshots or videos if applicable.
- The impact of the vulnerability (e.g., data exposure, denial of service, privilege escalation).
- Any available proof of concept (PoC) or exploit details (if appropriate and ethical).
- Contact information for follow-up questions or clarifications (if the reporter is comfortable).
Timeline for Initial Response:
- A confirmation email will be sent within 48 hours acknowledging the receipt of the vulnerability report.
- A member of the security team will follow up with additional questions or clarification if needed, within 7 days of receipt.
Vulnerability Triage and Classification
Upon receiving a vulnerability report, the security team will conduct an initial review to:
· Verify the vulnerability.
· Classify the severity of the vulnerability
· Determine the affected systems, users, or data.
· Assess the impact on business operations and prioritize remediation based on severity.
Acknowledgment and Communication with Reporter
Action: After classification, the security team will notify the reporter of the following:
· Acknowledgment: Confirmation that the vulnerability has been received, triaged, and classified.
· Timeline: An estimated timeline for resolution, including when the vulnerability is expected to be fixed and released in patches or updates.
· Updates: The reporter will be informed of the progress of the fix (if applicable) and when the vulnerability has been mitigated or resolved.
Vulnerability Resolution and Fix Deployment
The security team, in collaboration with development and operations teams, will prioritise fixing the reported vulnerability.
· Patch Development: A patch or fix will be developed to address the vulnerability, including changes to code, configurations, or infrastructure.
· Testing: The fix will undergo rigorous testing (e.g., functional, regression, security, and performance testing) to ensure that it resolves the issue without introducing new problems.
· Deployment: The patch or fix will be deployed to the affected environment (e.g., staging, production) using the Sureways’ standard Change Advisory Board (CAB) process.
· Verification: Post-deployment verification will be conducted to ensure that the vulnerability has been effectively mitigated.
Public Disclosure (If Applicable)
Action: After the vulnerability has been fixed and a patch has been deployed, public disclosure of the vulnerability may occur.
· Timing of Disclosure: Public disclosure will happen at a mutually agreed-upon time between the security team and the reporter, ensuring the vulnerability is no longer exploitable.
· Disclosure Methods: The vulnerability will be disclosed in the following manner:
Security Advisory: A detailed advisory or announcement will be published on Sureway’s website under the sub-page: https://www.sureway.com.au/security/vulnerabilities.
Roles and Responsibilities
· Security Team: Responsible for receiving, triaging, and resolving vulnerability reports, ensuring timely communication with the reporter, and overseeing the patching process.
· Development Team: Responsible for implementing fixes or patches for identified vulnerabilities and testing them to ensure proper resolution.
· Operations Team: Responsible for deploying patches and ensuring that systems are properly updated and secured in the production environment.
· Vulnerability Reporter: Security researchers or individuals who discover vulnerabilities in Sureway Employment & Training’s systems and responsibly disclose them.
· Public Relations Team: Responsible for handling public disclosure and communicating with stakeholders, if necessary.
Compliance and Enforcement
· Responsible Disclosure Commitment: Sureway Employment & Training commits to responsible disclosure and acknowledges the important role of security researchers and the security community in identifying vulnerabilities.
· Non-Retaliation: Sureway Employment & Training will not take legal action or retaliate against individuals or researchers who report vulnerabilities in good faith.
· Policy Compliance: All staff involved in vulnerability reporting, triaging, and resolution must adhere to this policy. Non-compliance may lead to disciplinary action.
Policy Review and Update
This policy will be reviewed annually or as needed to ensure it is aligned with best practices, evolving security threats, and regulatory requirements. Updates will be communicated to all relevant stakeholders.