Responsible Disclosure Policy
At Lineas, we strive at all times to provide our customers the excellent service they expect from us. Maintaining the security of our systems and ensuring the privacy of our data, is therefore a top priority. In order to obtain that high standard, we value external security researchers acting in good faith to assist us in finding vulnerabilities in our environment (“Vulnerability”) . This policy sets out the scope, process and rules in relation to finding and reporting those security Vulnerabilities.
I. Scope
This Responsible Disclosure Policy applies to any system, application, or asset which is used by Lineas to provide its services to its customers or partners.
II. Process when discovering a Vulnerability
If you discover a Vulnerability in relation to one of our systems, applications or assets, we ask you to:
- Report this Vulnerability as soon as possible after discovery;
- Mail your findings to secops@lineas.net and encrypt them with our PGP key;
- Provide sufficient information to enable Lineas to reproduce the Vulnerability.
- Provide your contact details; and
- Confirm that you have acted and will continue to act in good faith, without any malicious intent and in accordance with this Responsible Disclosure Policy.
III. Applicable requirements
We require all security researchers to:
- Act in good faith to avoid privacy violations, degradation of our services, disruption to production systems, data exfiltration, destruction of data during security testing, or any other damaging event ;
- Act within legal limits when identifying potential Vulnerability and explicitly not demonstrate security Vulnerabilities notably by performing DDoS attacks, brute force password attacks, social engineering activities nor by infecting systems with malware or running automated scans;
- Perform research in finding Vulnerabilities only within the scope set out above and in accordance with this Responsible Disclosure Policy ;
- Keep any information about any Vulnerability discovered confidential between us during at least 90 days, being understood that Lineas shall do its best efforts to resolve the Vulnerability during such period ;
- Not reveal the discovered Vulnerability to any third party until it has been resolved.
IV. Safe Harbor
If you follow this Responsible Disclosure Policy, including the above mentioned Requirements when discovering, dealing and reporting a Vulnerability, Lineas commits to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and swiftly resolve the Vulnerability (including an initial confirmation of your report within 3 business days of submission);
- Recognize your contribution on our responsible disclosure page, if you are the first to report the Vulnerability, and make a code or configuration change based on the Vulnerability.
If at any time you have concerns or are uncertain whether your security research is consistent with this Responsible Disclosure Policy, please send an email to cybersecurity@lineas.net before going any further.