Responsible Disclosure page

[dsernst]

We discussed yesterday wanting to add a page outlining our philosophy about responsible disclosures.

Contents:

• What we're asking for and what we're offering re relating to outside security researchers.
• TBD

[arianabuilds]

Draft —

Responsible Disclosure Policy

Introduction

At Secure Internet Voting (SIV), we prioritize the security of our systems and data. We recognize the valuable role that ethical security researchers and our community play in maintaining the security and integrity of our services. This Responsible Disclosure Policy is designed to give clear guidelines on how to responsibly report identified security vulnerabilities.

Scope

This policy applies to any security vulnerabilities you believe you have discovered in any product, service, or system offered by SIV. We request that you do not disclose the vulnerability to the public or third parties in a manner that can cause harm or damage.

Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it to us as soon as possible. We ask that you:

• Email your findings to [security@siv.org].
• Provide sufficient information to reproduce the vulnerability, so we can resolve it as quickly as possible. Typically, this includes a description of the vulnerability, its potential impact, and a step-by-step guide to reproduce the issue.
• Avoid exploitation of the vulnerability, e.g., downloading more data than necessary to demonstrate the vulnerability, or deleting or modifying other people's data.

Our Commitment

Upon receiving your report, we commit to:

• Acknowledging receipt of your report within 72 hours.
• Investigating the report and working to understand the impact and root cause.
• Working to address the issue in a timely manner and keeping you informed of our progress.
• Not pursuing legal action or law enforcement interaction for responsible disclosure.
• Keeping the communication open and transparent.

Confidentiality

We ask that you keep your findings confidential until we have had a chance to address them. We understand that not all security issues can be immediately fixed and require time to patch. We aim to resolve all issues as quickly as possible, and we ask for your cooperation in maintaining confidentiality during this period.

Recognition

We believe in recognizing the efforts of security researchers who responsibly disclose vulnerabilities. We will acknowledge your contribution in our security update communications, should you wish.

Limitations

While we encourage the reporting of security vulnerabilities, please note:

• We have not documented all potential attack vectors in our public documentation for security reasons.
• There may be some vulnerabilities we are already aware of and are in the process of addressing.

Contact Us

For any questions or concerns, please contact [security@siv.org].

[arianabuilds]

Or something a bit less formal —

Responsible Disclosure at Secure Internet Voting (SIV)

Spot a Security Issue? Let’s Tackle It Together

Intro

We’re all about security at SIV, but nobody's perfect. If you’ve noticed a security problem in our systems, we want to be the first to know. We ask that you don’t share this publicly until we’ve had a chance to fix it.

Got a Security Tip?

Send us a note at security@siv.org. Include these details:

• A clear description of the issue.
• Steps we can follow to see the problem ourselves.
• Please avoid actions that could harm the system or data.

Our Promise to You:

• We’ll acknowledge your email within 72 hours.
• We’ll investigate thoroughly and work on a fix.
• No legal action for reports made in good faith.
• Transparent and ongoing communication.

Confidentiality Matters

We ask for your discretion until the issue is resolved. Some fixes take time, and we’re committed to getting it right.

Credits Where They're Due

We appreciate your help and are happy to give credit in security updates, if you like.

Heads-Up

• Not every potential issue is in our public docs — that’s for security.
• We might already be working on something you find.

Questions or Thoughts?

Feel free to reach out at security@siv.org.