Vulnerability Responsible Disclosure Policy

Thank you for reading our responsible disclosure policy. The SiLA-Standard organisation (SiLA) takes cyber security very seriously and supports responsible disclosure of discovered vulnerabilities. We consider security to be top priority but accept that despite our best intentions vulnerabilities can still be present.

Code produced by the organisation is non-commercial, is open source and frequently volunteer generated. Commercial organisations may use our code wholly or in part at their own discretion, this is out of the control of SiLA.

Vulnerability reports for SiLA code are appreciated, as are ones pertaining to the SiLA-Standard website. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and SiLA will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

When you discover a vulnerability, please do the following:

  • Report it via the email address vulnerabilities@sila-standard.org
  • Stop your tests if you discover any sensitive information (Personally Identifiable Information – PII, financial, proprietary information or trade secrets), notify us immediately and do not disclose any obtained data to anyone else.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence.
  • Provide sufficient information so that we can reproduce the problem, including any relevant software versions. This will allow us to resolve it as quickly as possible.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.
  • Provide your understanding of the severity of the vulnerability. – How it could be used to do harm.
  • You may report vulnerabilities anonymously, however we’d be grateful if you would provide a means for us to communicate with you, to request more details, or simply to keep you updated as to progress.
  • If possible, please report the vulnerability in English.

Please do not:

  • Do not take advantage of the vulnerability.
  • Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Do not share the problem with others until it has been resolved.
  • Place malware (virus, worm, Trojan horse, etc.) on any system.
  • Compromise any systems using exploits to gain full or partial control.
  • Copy, modify or delete data from the system.
  • Make changes to the system.
  • Repeatedly access the system or share access with the public or other parties.
  • Use any access obtained to attempt to access other systems.
  • Change access rights of other users.
  • Use automated scanning tools unless working on your own local deployment of code.
  • Use a so-called “brute force” attack to access any systems.
  • Use denial-of-service or social engineering (phishing, vishing, spam, etc.).
  • Use attacks on physical security.

We will:

  • If your report is found to be for products using the SiLA protocol, but not using code owned by SiLA, we will endeavour to pass your report on to the owners. We will discuss this with you prior to sharing any information you provide.
  • The report will be passed to the appropriate repository owner(s) for their attention. Being a volunteer supported organisation with no coding staff, responses and resolutions may be slower than would be expected with commercial entities. Initial appraisal of the vulnerability may take up to two weeks, with resolution taking longer than that depending on the nature of the finding.
  • SiLA or the repository owner will keep you informed as to progress.
  • You will be informed when the matter is concluded.
  • SiLA is not averse to publication of the discovery once successfully resolved if it is in the interest of all parties. It is our belief that sharing such information improves cyber security for the whole industry.
  • Publish your name as the discoverer of the problem, if you have agreed to this in your initial e-mail, when and if we disclose the problem publicly.
  • Process the personal data that you provide (such as your e-mail address and name) in accordance with the applicable data protection legislation and will not pass on your personal details to third parties without your permission.
  • Please note that no bounty or reward will be offered or provided.
  • If a disclosed vulnerability affects commercial code used by members or partners of SiLA, the organisation reserves the right to inform them of the nature of a disclosed vulnerability which is being investigated so that they can make appropriate mitigations without delay. We will discuss this with you prior to sharing any information you provide.
  • SiLA will follow appropriate regional legislative requirements related to mitigating and reporting vulnerabilities.

 

Version 1.0 / March 2025