Vulnerability Disclosure Policy

 
Last Updated a year ago

This policy is intended for those who are looking to report security vulnerabilities in any of our web services.

Opening Statements

We'd like to open by simply saying, thank you, we understand how it's often difficult to contact the right people within businesses to notify them of security vulnerabilities and in some cases dangerous (legally).

However, as a small family business who has full control over their infrastructure we'd like to take a different approach to security than the bigger businesses who often don't care until it's too late. Instead we'd like to ensure it's done right, and that it's kept that way.

Since the day we started our business over 7 years ago we've always aimed to provide a high level of customer service and for us part of our customer service is ensuring customer data is kept safe at all times.

But at the end of the day we're only human and humans make mistakes. So we're always open to another pair of eyes taking a look and pointing out mistakes we've made.

We'd like to publicly state and confirm that we will not attempt to take any form of legal action or cause other negative consequences for individuals or businesses who seek to help us improve the security of our services by providing reports of vulnerabilities inline with this policy.

We encourage anyone who has found a security vulnerability in our services to let us know as soon as possible so that we may resolve the issue swiftly and continue to protect our customers data.

What To Report?

We operate all of our services ourselves and have full control, including but not limited to managing our own dedicated web servers, databases, website code and even own EPOS software and systems.

As such, we accept vulnerability reports in any and all of our services, so whether you've found a vulnerability which affects our website, servers, in-store systems or anything else, we'd like to know!

Finding Vulnerabilities

With good intentions, you may perform checks using various methods to aid in the finding and reporting of a vulnerability.

However, please be aware we have automated systems in place which may halt scans and in some cases may automatically block your IP addresses from our firewalls.

We will not whitelist your IPs, disable security measures or otherwise to aid your scans as doing so would lower the usual level of security on our systems potentially causing an issue which would otherwise not exist. Vulnerabilities should be found on our systems on an "as is" basis.

What's Not Allowed

Naturally there are a few limitations on what we can permit. The following will not be considered good faith or ethical and are not permitted under this policy:

  • Attacking any system that is not operated by Eternal Goth
  • Attempting to attack/phish/harm/access/etc our customers and their computers or devices
  • DDoS
  • Gaining access and using our systems to send spam/mail
  • Harvesting customer data with intent to store permanently and/or sell
  • Harvesting company data with intent to store permanently and/or sell
  • Planting rootkits, cryptominers or any other malicious software/files on our systems
  • Sending unsolicited mail to our customers or team, including phishing mail.

We understand that sometimes vulnerabilities can lead to these things becoming possible, we simply ask that you demonstrate a vulnerability allowing the ability to do it as opposed to actually doing it.

Generally you should use simple common sense.

Reporting Vulnerabilities

We would like to make it as easy as possible for you to contact the right people who can deal with vulnerabilities within our company quickly and effortlessly.

All vulnerabilities, regardless of the service they were found for, can be reported directly through our help centre using this link. Alternatively you may select "I'm reporting a security vulnerability" manually when opening a ticket.

Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability. 

Please also include including any PoCs, screenshots, CVE IDs etc. In any case, more information is always better. If the file you wish to upload is too large please use a secure file hosting provider (for example, Tresorit) and provide links to the files.

We prefer reports are sent to us in English.

Using this method of contact ensures that the right people are immediately notified about the vulnerability as soon as it is submitted. It's then tagged within our system as very high priority, ensuring it's noticed quickly.

Verification

If in doubt about the security of vulnerability submission, or the need to verify/encrypt the contents of messages arises please use the DNS TXT records from our subdomain "verify_gpgkey".

You should match and find this key on any public key server such as MIT. You should also be able to find it by simply searching our domain name in a public key server.

Assuming everything matches up as it should, you may also directly email the key holder if you deem it necessary. GPG encrypted and signed emails are accepted. Although it's preferred to submit a ticket where possible.

Warning: Please verify that the key was created in 2016, has an email address that matches our domain and can successfully verify our security.txt file. If any of these fail please do not trust the key.

Your Contact Information

Please ensure you provide a valid and working email address for communication as we may need to contact you to discuss your submitted vulnerability to help us fix it.

Customer Data

Protecting customer data is the most important thing for us, so If you believe you are able to gain, or currently have access to any of our customer data, whether it's just one persons data or many, please let us know!

If the data has not yet been accessed, but the vulnerability may allow the possibility to do so, we will perform a full investigation to determine whether it has been previously accessed using the vulnerability.

If you currently have or have had access to our customer data, we ask that you do not save or sell any of this information.

If our customer data has been accessed, or it's likely that it has been accessed previously we will contact all affected customers immediately with details on which data was affected, in addition to following our standard procedures for a data breach.

Known Vulnerabilities

We're always watching for potential security problems both with upstream products and those of our own so in some cases our services may have already been patched or had mitigations put in place to protect against a known upstream vulnerability even if upstream has not yet addressed the issue.

We'll double check the vulnerability to see if it can still be exploited based on information you've provided but may close the issue quickly if it's confirmed to be fixed.

Duplicate Reports

Sometimes we may receive the same vulnerability report twice, whilst rare if this were to happen then we will close the second report as a known issue and continue to work with the first report.

However, if the second report contains further information which is helpful we will of course also use that information to help fix the problem.

The Investigation

Once we have your report we will begin to investigate your report by attempting the exploit it ourselves on our own systems, we will also review any provided CVE's to ensure we don't miss anything.

Each investigation is different depending on what is being reported of course. But in any case an appropriate investigation will be performed.

Time Frame and Fixes

If our investigation was able to confirm the vulnerability we will swiftly move onto fixing the issue by attempting fixes while also trying to exploit the vulnerability again after patching, we won't consider the issue fixed until we are able to confirm that we can no longer exploit the vulnerability or variations of it on our live and test systems.

Typically we aim to complete our investigations and patch any vulnerabilities within 7 days where possible.

In the event we are unable to quickly fix vulnerable code, we will put a temporary mitigation in place to protect data while we work on a proper fix.

Notification and Response

You should immediately receive an automated response from our system letting you know we have your report.

However, you may not receive any response from us while we investigate the issue. This is because we will focus immediately on the investigation and fixing the issue.

Sometimes we may need further information from you if we are unable to reproduce the issue and if so we will respond with questions related to the investigation to help us track down the problem.

Once the vulnerability report has been resolved we will contact you to let you know the status of the investigation and fixes. If we've found that the issue still exists upstream and has not been reported we will also recommend you report the issue to them as well if you haven't done so already.

Public Disclosure

In the interest of protecting our customer data and services, please allow us a minimum of 60 days prior to any public disclosures, which will allow us time to fix any problems found.

Once we've responded and let you know that we've fixed the vulnerability you may publicly disclose the problem on your blog or using other methods as you wish.

Monetary Rewards

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures

Data Sharing and Usage

We will not share any information you provide us with any other party in any case and we will use your report for the sole purpose of fixing the problem.

Legal

We don't want this to be too formal as we dislike dealing with legal stuff as much as anyone else. But of course to protect you and ourselves we will include our legal part here:

Eternal Goth considers ethical hacking research conducted consistent with this policy to constitute as “authorised” under criminal and civil law. Eternal Goth will not pursue or attempt to pursue civil action or initiate a complaint about accidental, good faith violations.

In the unlikely event that legal action is initiated by a third party against you and you have complied with the Terms, Eternal Goth will take steps to make it known that your actions were conducted in compliance and with our approval.

Policy Updates

We may occasionally need to update this policy to better suit our needs, any changes to this policy will begin to apply to actions taken 48 hours after being updated. In addition changes will only be applied to actions taken after the policy was updated and will not be applied to previously submitted vulnerabilities or actions.

In the case you have only seen this policy and the last updated time is less than 48 hours, simply go by the current policy.

Acknowledgments

We may publish a public thank you and acknowledgment to those who have helped us find vulnerabilities as we are always grateful. Naturally we also understand you may wish to remain anonymous and not be publicly credited.

Prior to any publications or acknowledgement we will contact you with information about the publication and we will wait for your response before we publish anything. We will take no response as wishing to remain anonymous.

Any publication, if you accept, will only include your name and minor details about the vulnerability.

Further Clarification or Questions

If you would like more information, or have any other questions about this policy please open a new ticket here. Any questions about this policy will be answered by our security team.

Please Wait!

Please wait... it will take a second!