CSI Piemonte considers the security of its projects a top priority. However, no matter how much effort we put into security, our products can still present vulnerabilities.

If you discover a vulnerability in one of the projects developed by us, we invite you to follow these Responsible Disclosure guidelines as soon as possible in order to help us better protect our users and their data.

This policy describes how to send us vulnerability reports, how we ask security researchers to behave when disclosing vulnerabilities and how we will act as a consequence of your report. Your personal data will be processed based on your consent and in accordance with our privacy policy.

If you are the first to report a verifiable major security issue, we’ll thank you with a place in our Hall of Fame. We do not offer a bug bounty program.

Report a vulnerability

Submit your report in Italian or English language via email to csirt@csi.it

Encrypt your findings using our PGP Key to prevent this critical information from falling into the wrong hands.

Please provide adequate information so that the vulnerability can be reproduced and resolved as quickly as possible. Your report should include at least the following information:

  • the type of vulnerability
  • the service or URL or IPs affected by the flaw
  • description of the security issue
  • requirements and steps to reproduce the issue
  • timestamp and IP address used to identify the issue
  • impact of the vulnerability together with an explanation of how an attacker could find it and exploit it
  • your consensus - if you wish - to be listed in the Hall of Fame, if eligible, and in which form/wording (real name, pseudonym, contact information).

A compressed archive (.zip) with all the files which can help in reproducing the flaw will be most welcome (i.e. images, screenshots, text files with description details, PoC, source code, scripts, network packet capture traces, logs, source IP addresses…). Currently our mailbox can accept messages up to 20 MB. The compressed archive can be password protected and the password shared with us in a different email message.

Guidelines

  • Do not take advantage of the vulnerability or problem you have discovered.
  • Do not perform any activity that can damage us or our users, disrupt the impacted system or service or cause any data leakage/loss.
  • Respect the privacy of our users: you are not allowed to use any personal data for purposes other than protect our users and their data, in accordance with this policy.
  • Keep confidential any information about discovered vulnerabilities, therefore commit not to reveal any of these - entirely or partially - or in any form make them available to third parties, for up to 90 calendar days after you have notified CSI Piemonte, unless mutually agreed otherwise.
  • Do not place a backdoor in a system.
  • Do not make changes to the system or application.
  • Do not use Denial of Service attacks or brute force access.
  • Do not use aggressive automated scanning.
  • Do not use social engineering of our employees or contractors.
  • Reports about TLS levels and/or ciphers, email spam, volumetric attacks, results of automatic tools for vulnerability assessment/penetration testing, obsolete and/or buggy libraries or application software, missing web security headers and noncompliance to “best practices” in general will NOT be qualify as valid submissions for a mention in the Hall of Fame, unless you are able to craft an exploit that leverages also the lack of such headers or configurations.

Our commitment

  • We will respond to a valid submission within 10 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, we will not take any legal action against you concerning the report.
  • We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. Reporting under a pseudonym or anonymous is possible.
  • We will keep you informed of the progress towards resolving the problem.
  • For major issues, ranked so at our discretion, we can mention (if you desire) your name or acronym as the discoverer of the reported vulnerability in our hall of fame.
  • We do not offer bounties for valid submissions.

Scope

This policy applies to the projects directly developed or maintained by CSI Piemonte hosted on the AS2594 IPv4 space (if directly developed or maintained by CSI Piemonte).

We reserve the right to update this Responsible Disclosure Policy at any time.

Version 2021-05-13.