Vulnerability Disclosure Policy
This policy shall govern any and all information security breach or vulnerability occurred within the operations of Austral Design affiliates and other controlled entities.
This policy sets out the processes to report to Austral Design’s staff any data breach, suspicion of a data breach, or a vulnerability found on one of Austral Design’s systems. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information. A vulnerability is any flaw that can be found on a system that could lead to a data breach or to an interruption of the provided service.
The adherence to this Procedure and Response Plan will ensure that Austral Design can contain, assess and respond to data breaches or vulnerabilities expeditiously and mitigate the potential harm that it can produce.
For Austral Design, maintaining the confidentiality, integrity, and availability of our information and systems is very important. We appreciate the work done by security researchers that help us improve our security measures. That’s why we want to have a clear process for you to report vulnerabilities or security breaches. All vulnerabilities and/or security breaches must be reported to: australdesign28@outlook.com
Austral Design encourages security researchers to report any vulnerability or security breach that you believe you might have found. All the reports submitted in compliance with this policy will be investigated, and any issue that might be encountered will be resolved as soon as possible. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research.
The following items describe the actions that researchers must, may, and must not do on their testing methods:
Security researchers must:
cease testing and notify us immediately upon the discovery of a vulnerability.
cease testing and notify us immediately upon the discovery of an exposure of nonpublic data.
purge any stored Austral Design nonpublic data upon reporting a vulnerability.
Security researchers may:
View or store Austral Design’s nonpublic data only to the extent necessary to document the presence of a potential vulnerability.
Security researchers must not:
Test any system other than the systems set forth in the scope systems listed below.
disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below.
engage in physical testing of facilities or resources.
engage in social engineering.
send unsolicited electronic mail to Austral Design’s users, including “phishing” messages.
execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks.
introduce malicious software.
test in a manner that could degrade the operation of Austral Design’s systems; or intentionally impair, disrupt, or disable Austral Design’s systems.
delete, alter, share, retain, or destroy Austral Design’s data, or render Austral Design’s data inaccessible.
use an exploit to exfiltrate data, establish command-line access, establish a persistent presence on Austral Design’s systems.
We’ve determined that the following scope of systems that are accepted as being researched:
Researchers are allowed to submit reports anonymously, although any preferred contact method is welcomed to clarify any reported vulnerability information or another technical interchange.
When reporting a vulnerability or a security breach, a detailed technical description of the steps to reproduce it, including tools, images, and any other documentation that may be attached to reports is desired.
The Information that should be provided (if known) at this point includes:
When the breach occurred or vulnerability has been exploited (time and date).
Description of the breach/vulnerability (the type of personal information involved).
Cause of the breach (if known) otherwise how it was discovered.
Which system(s), if any, are affected?
Which project/area/task is involved?
Austral Design will determine the severity based on the following criteria:
The type and extent of personal information involved
Whether multiple individuals have been affected
Whether the information is protected by any security measures (password protection or encryption).
The person or kinds of people who now have access
Whether there is (or could there be) a real risk of serious harm to the affected individuals
Whether there could be media or stakeholder attention as a result of the breach or suspected breach