Responsible Disclosure
The Portuguese Cybersecurity Center (CNCS) and the DNS.PT Association (.PT) consider the security of their users and systems a priority. We are committed to investigate and correct any vulnerability found on this platform in direct collaboration with the infosec community.
As promoters and entities responsible for the maintenance of the Webcheck.pt platform, .PT and CNCS allow the interested community to perform security tests and disclosure of the results under the terms and conditions set forth in this policy in order to identify any vulnerability.
This policy aims to define the cooperation methodology between the sponsoring entities and the community in order to facilitate the identification and mitigation of the security vulnerabilities following an ethical and responsible approach and contributing to a safer and more reliable use of the Internet.
If you identify any vulnerability please contact us through the e-mail address: info@webcheck.pt.
The e-mail should be encrypted with our PGP key in order to guarantee the confidentiality of the information:
- Key-ID: 4761FCDB
- Fingerprint: 145D898B98FE9CCB225A761D8D43EEFE4761FCDB
SCOPE:
The terms defined in this policy applies only to the vulnerabilities identified in the Webcheck.pt platform and the servers that support its operation.
OUT OF SCOPE:
WHAT WE REQUEST:
WHAT TO EXPECT FROM US:
As promoters and entities responsible for the maintenance of the Webcheck.pt platform, .PT and CNCS allow the interested community to perform security tests and disclosure of the results under the terms and conditions set forth in this policy in order to identify any vulnerability.
This policy aims to define the cooperation methodology between the sponsoring entities and the community in order to facilitate the identification and mitigation of the security vulnerabilities following an ethical and responsible approach and contributing to a safer and more reliable use of the Internet.
If you identify any vulnerability please contact us through the e-mail address: info@webcheck.pt.
The e-mail should be encrypted with our PGP key in order to guarantee the confidentiality of the information:
- Key-ID: 4761FCDB
- Fingerprint: 145D898B98FE9CCB225A761D8D43EEFE4761FCDB
SCOPE:
The terms defined in this policy applies only to the vulnerabilities identified in the Webcheck.pt platform and the servers that support its operation.
OUT OF SCOPE:
1. Exploit vulnerabilities or use techniques that may lead to degradation or denial of service;
2. Use of means and resources that are disproportionate and inadequate to prove identified vulnerabilities;
3. Conduct physical security tests, use social engineering techniques, spam or phishing as well as extend testing to third-party applications even if they are being used by the webcheck.pt platform;
4. Human resources exploitation;
5. Use of identified vulnerabilities or errors to access data beyond what is strictly necessary for its verification;
6. Erasing or modifying data.
WHAT WE REQUEST:
1. Provide us detailed, relevant and sufficient information that allows the analysis of the identified vulnerability;
2. Do not use the information obtained in an abusive manner and that may compromise the availability and confidentiality of the information and the integrity of the platform;
3. Ensure the privacy of the users;
4. Do not disclose identified vulnerabilities until it is corrected or 90 days after receiving the first response, unless expressly stated otherwise by the promoting entities;
5. Ensure a cooperative and responsible behavior and in compliance with the law.
WHAT TO EXPECT FROM US:
1. A response within a maximum of seven days stating the evaluation of the reported vulnerability and the temporal estimate of correction;
2. If you follow the rules and procedures described in this policy no criminal participation will be made for facts related to the discovery of the reported vulnerability;
3. Confidentiality: We will not provide information to third parties without authorization, unless arising from legal obligation;
4. Provide relevant information related to the resolution of the identified vulnerability, whenever possible and appropriate;
5. The recognition through the platform with the name/nickname and vulnerability found;
6. In the context of the Responsible Disclosure and within the applicable legal regime, your personal data will be erased immediately after the reason for which they were processed. Any question regarding treatment or access to personal data should be addressed to info@webcheck.pt with the subject: Treatment of personal data.