Vulnerability Disclosure Policy

CEnet Vulnerability Disclosure Policy

Purpose

CEnet Limited welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, we want to hear from you.

The security researcher community makes valuable contributions to the security of an organisation and we are motivated to maintain a good relationship with this community. Such research will be viewed as a collaboration if security vulnerabilities are reported to us in accordance with this policy. In the event that a security vulnerability is not reported in accordance with this policy, we reserve all of our legal rights. 

Systems In Scope

Our Vulnerability Disclosure policy applies to independent security researchers for any digital assets, systems, or Software as a Service (SaaS) cloud services provided by, or through CEnet.

Nb. This does not authorise you to conduct security testing against our systems. If you have inadvertently discovered that a vulnerability exists, report it to us so that we can test and verify it.

Our Commitment

When working with us, according to this policy, you can expect us to:

  • Respond to your report promptly, and work with you to understand and validate your report;

  • Strive to keep you informed about the progress of a vulnerability as it is processed;

  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.

When a report is made for a new vulnerability, we ask that you keep the information confidential and do not make your research public until we have completed our investigation and where applicable, have remediated or mitigated the vulnerability.
We may need to contact you for more information to resolve the concern. We will handle your report confidentially in line with our privacy policy on our website.

Recognition for Identifying Vulnerabilities

As a not-for-profit organisation, we do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. We will however publicly recognise the researcher(s) and/or organisations who discovered the vulnerability, subject to their consent.
The names or aliases of researchers who have identified and disclosed security vulnerabilities will be listed here.

How to Report a Vulnerability

Please report security issues via our Official Channel - vulnerabilitydisclosure@cenet.catholic.edu.au - providing all relevant information. ​This should include, but not be limited to:

  • An explanation of the potential security vulnerability & detection date,

  • where possible, a listing of the products and services that may be affected (IP Address(es), hostname(s), service(s), product(s), solution(s), and any known versions affected),

  • technical description including steps to reproduce the vulnerability,

  • names of any test accounts you have created (where applicable),

  • your contact details,

  • disclosure plans (if any).

Do not include any attachments in your first email. CEnet will arrange for a secure file transfer if required. Any additional information can be shared in subsequent communications.

Out Of Scope

Assets or other equipment not owned by parties participating in this policy are out of scope. Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

For the avoidance of doubt, the following list includes, and is not limited to types of techniques that are not permitted during research activities:

  • Actions that violate Australian law.

  • Clickjacking.

  • Social Engineering or phishing.

  • Decryption of weak or insecure SSL ciphers or certificates.

  • Denial of Service (DoS), or Distributed Denial of Service (DDoS) attacks.

  • Physical attacks.

  • Attempts to modify or destroy data.

Our Expectation

By participating in our vulnerability disclosure program in good faith, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements;

  • Report any vulnerability you’ve discovered promptly;

  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;

  • Use only the Official Channels to discuss vulnerability information with us;

  • Do not publicly disclose without our express written consent from an appropriately authorised CEnet employee;

  • Post confirmation of our initial investigation being completed, provide us a reasonable amount of time (at least 120 days from the initial report) to resolve the issue before you disclose it publicly;

  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;

  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;

  • You should only interact with test accounts you own or with explicit permission from the account holder; and

  • Do not engage in extortion.

vulnerability disclosure, vulnerability, vulnerability disclosure policy, cenet vulnerability disclosure policy