Vulnerability Disclosure Policy
The objective of this plan is to articulate a standardised approach to:
- Vulnerability disclosure program for the AUCloud ICT environment;
- Ensure compliance with Australian Cyber Security Centre's (ACSC) Information Security Manual (ISM), and
- Mitigate potential cyber security risks.
2. Policy Statements¤
This policy applies to the AUCloud ICT environment and includes:
- the purpose of the vulnerability disclosure program.
- the types of security research that are allowed.
- the types of security research that are not allowed.
- how to report potential security vulnerabilities.
- the actions that will be taken on receiving notification of potential security vulnerabilities and indicative time frames for these actions.
- any expectations regarding the public disclosure of verified security vulnerabilities.
- any recognition finders of verified security vulnerabilities will receives.
2.2 Out of Scope¤
This policy does not apply to AUCloud strategic partners, customers hosting their services on AUCloud or other technologies not directly managed and controlled by AUCloud.
Cisco, VMware and other strategic partners manage their own vulnerability disclosure program. Vulnerabilities discovered by researchers and others within strategic partner technologies should be reported directly to the vendor.
3. Policy Purpose¤
The purpose of this document is to provide direction for the vulnerability disclosure for the Sovereign Cloud Australia (AUCloud) ICT environment.
A vulnerability disclosure program (VDP) can assist AUCloud to improve the security of our services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner.
AUCloud encourages the vulnerability assessment and testing of its environments in a controlled and non-damaging manner.
4. Policy Exemptions¤
All exemptions to this document must be approved by the Chief Information Security Officer (CISO). The CISO is responsible for maintaining a record of such exemptions and any necessary corrective actions.
5. Researcher / Tester¤
AUCloud encourages the vulnerability assessment and testing of its environments and regularly undertakes penetration tests and vulnerability assessments of its environments.
5.1 Researcher / Tester Promise¤
AUCloud is committed to working with security researchers to help identify and fix vulnerabilities in our systems and services. As long as you act in good faith and abide by the guidelines outlined in this policy, we will make our best effort to commit to the following:
Provide an initial response to your vulnerability report within three business days Determine if we will accept (intend to fix) or reject (identify your report as a false positive or acceptable risk) your vulnerability report within ten business days Keep you up to date on progress towards remediation of reports we accept from you
6. Testing guidelines¤
When performing security testing, please adhere to the following guidelines:
- Seek permission and advise AUCloud of your proposed testing
- Only test against your own accounts and data (e.g. create test accounts). If you identify a vulnerability that may result in access to other users' data, please check with us first before testing further.
- If you inadvertently access other users' data in your testing, please let us know, and do not store any such user data.
- Do not perform testing that results in denial of service conditions or degradation of our production services.
- Do not perform load testing that results in the degradation of our production services
- 'Red teaming' or other activities including social engineering and physical security assessments are out of scope of this program:
- Do not attempt to socially engineer AUCloud, our users or customers.
- Do not attempt to breach or compromise the physical security of our offices, buildings or data centres
AUCloud reserves the right to block or disable any attempted tests of the AUCloud environment through automated or manual incident response process.
We're particularly interested in the following types of vulnerabilities and impacts:
- Remote code execution
- Vulnerabilities where remote execution can cause background processing (jobs) which reduces availability for customers.
- XSS resulting in access to sensitive data (e.g. session info)
- SQL injection resulting in access to sensitive data or functionality
- Business logic flaws that result in access to sensitive data or functionality
We are less interested in the following types of vulnerabilities, which are more likely to get rejected as false positives or accepted risks:
- Lack of the X-Frame-Options header on pages without state-changing functionality
- Unverified automated scanner results
- Issues that are unlikely to be exploitable and/or that do not have realistic security impact
The following assets are considered in scope for assessment. Assets not provided in this list are out of scope.
Researchers and Testers should submit reports to email@example.com.
Please use the following report submission form:
A one line description of the issue, e.g. "XSS in mail.example.com results in session theft"
A brief description of the vulnerability and why it matters, e.g. Due to a lack of escaping, you can send an email to another user containing an XSS payload that would enable an attacker to steal another user's cookies containing session information. This would allow the attacker to login to the victim's account.
Step by step instructions on how to reproduce the vulnerability.
Attack Scenario and Impact:
How could this be exploited? What security impact does this issue have?
Optionally, if you have any advice on how this issue could be fixed or remediated, add it here.
9. Disclosure of vulnerabilities¤
AUCloud will disclose the vulnerability and associated remediation to its customers and provide recognition to the researcher / tester who discovered the vulnerability.