Responsible Disclosure Policy
ComputingPress welcomes feedback from the community on its website. Our Responsible Disclosure policy allows for security testing to be done by anyone in the community within the prescribed reasonable standards and the safe communication of those results. If you identify any vulnerabilities in ComputingPress website, please report the matter to ComputingPress via email.
We welcome your support to help us address any security issues, both to improve our website and protect our users.
We agree not to pursue legal action against individuals or companies who submit vulnerability reports through our requested channel and who comply with the requirements of this policy unless we are compelled to do so by a regulatory authority, other third party, or applicable laws.
The following are excluded from the Responsible Disclosure Policy (note that this list is not exhaustive):
- Taking any action that will negatively affect ComputingPress.
- Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
- Disclosing any personally identifiable information discovered to any third party.
- Destruction or corruption of data, information or infrastructure, including any attempt to do so.
- Discovery dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for ComputingPress).
- Any exploitation actions, including accessing or attempting to access ComputingPress data or information.
- Attacks on third-party services.
- Denial of Service attacks or Distributed Denial of Services attacks.
- Any attempt to gain physical access to ComputingPress property.
- Use of assets that you do not own or are not authorised or licensed to use when discovering a vulnerability.
- Violation of any laws or agreements in the course of discovering or reporting any vulnerability.
Out of scope vulnerabilities
- Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
- Third-party applications, websites or services that integrate with or link ComputingPress.
- Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.
Preference, prioritization, and acceptance criteria
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Well-written reports in English will have a higher chance of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What you can expect from us:
- A timely response to your email.
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialogue to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
Since all our source code is open source and we are strongly contributing to the open source and open science communities, we are currently regarding these disclosures as contributions to a world where access to research is open to everyone. As such, for now, we have no bounties available.
Thank you for your contribution to open source, open science, and a better world altogether!
ComputingPress reserves all of its rights, especially regarding vulnerability discoveries that are not in compliance with this Responsible Disclosure policy. This Responsible Disclosure policy is dated 15 June 2023 and will be periodically reviewed and updated; please bookmark this page and check it for the latest version of the policy before taking any action.