Vulnerability Disclosure Policy

NZRS is committed to resolving security vulnerabilities quickly and carefully. If you believe you have discovered a security related issue within our online systems, we appreciate your help in disclosing the issue with us responsibly and confidentially so that we can investigate and respond.

Process

Contact us via email (security@nzrs.net.nz) with a detailed report of the potential vulnerability. If you believe the vulnerability is serious or there is a chance that email is insecure, then please encrypt the message with PGP.  Our individual keys are listed on the team page and we will shortly publish details of our corporate key on this page.

This email should include as much of the following as possible:

  • Type of vulnerability
  • Whether the information has been published or shared with others
  • Affected products and versions
  • Affected configurations
  • Step-by-step instructions/proof-of-concept codes to replicate the issue

Once submitted, we will acknowledge that we have received your report with a non-automated reply within 7 days and provide an outline response plan where applicable.

We will then review the information and work to validate the reported vulnerability. In the event that a true vulnerability is discovered we will complete the investigation and notify the reporter.  Where appropriate the reporter will receive results of the vulnerability findings, a plan for resolution and plans for public disclosure.

Limitations

We do not permit the following types of security research

  • Causing, or attempting to cause, a Denial of Service (DoS) condition
  • Accessing, or attempting to access, data or information that does not belong to you
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you

Customer Security

So that we may protect the security of our customers we request that any potential vulnerability that you believe you have discovered is not shared outside of trusted circles, until we have had the opportunity to research, respond and address the reported vulnerability and inform customers if needed.  We also ask that you do not share or post any information belonging to our customers in any environment. We aim to address all valid vulnerabilities that are brought to our attention as quickly as possible.

Our commitment

If you act in good faith and follow this policy then we make the following commitments to you:

  • The information that you share with us as part of this process will be kept confidential within NZRS and our directly contracted suppliers. It will not be shared with third-parties without your permission.
  • We will not initiate legal action against security researchers attempting to find vulnerabilities within our systems who adhere to this policy.
  • If you report a vulnerability that materially affects our services or infrastructure, we will give you thanks with public acknowledgement.  We may even consider paying a modest bounty, entirely at our discretion.

If you have any further questions or you wish to report a vulnerability, please contact security@nzrs.net.nz