Principle and intent
At Edgis-Security, we ensure that all respective system owner(s), and relevant authorities are duly notified and accorded sufficient time to remediate before any disclosure is made public. The intent of the aforementioned is to ensure that affected parties have adequate time to carry out the appropriate amendments without suffering from adverse effects arising from a disclosed vulnerability.
The editorial team must review all disclosure submissions before any publication on edgis-security.org is made. The editorial team reserves the right to reject any submission for publication.
As a rule of thumb, the editorial team publicises the findings after the vulnerability is remediated. However, to balance the need for the public to be informed of security vulnerabilities with the need for affected parties to be accorded time to respond effectively, the final publication schedule will be determined at the discretion of the core team.
Window to respond
The editorial team will do its best to notify the affected the system owner(s), and relevant authorities. The affected system owner(s), and relevant authorities have three weeks (21 days) to acknowledge receipt of the first vulnerability notification before a full disclosure is made.
Ownership of discovery and related works
All glory and rights over submitted work shall remain with the owner of the discovery. Edgis-Security does not claim the rights over any submitted work.
Identification of involved parties
Parties involved must request to have their identities or association withheld from the disclosure of any vulnerability findings. Otherwise, all associated parties will be identified in the publicised disclosure.
Rules of engagement
All vulnerability discovery must follow these rules of engagement. This applies especially to web applications.
- No denial of service attacks allowed.
- No automated scanning tools allowed. e.g. Nessus, Nmap, Nikto, Hydra.
- No SQL injection allowed.
- No phishing allowed.
- No defacement allowed. e.g. Persistent XSS.
- No consecutive automated requests exceeding 60 per hour.
- All vulnerability shall be reported within 48 hours of discovery.
- The informant shall document details such as time, activity description, observation and IP address of the discovery.
Informants are advised to work with the affected system owners to conduct more pervasive or active vulnerability discovery.