Responsible Disclosure Guidelines

JNCTN Responsible Disclosure Guidelines

If you identify a security issue, please tell us so that we can get it fixed.

At JNCTN we take the security of our systems seriously and we value input from the security community. Responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our information.

As such, JNCTN’s security team wants to work with anyone who reports a vulnerability in our systems. JNCTN will validate, respond and fix vulnerabilities in accordance with our commitment to security and privacy. We will not take legal action or suspend or terminate access to JNCTN services for those who discover and report security vulnerabilities in accordance with the Responsible Disclosure guidelines.

JNCTN reserves its legal rights in the event of noncompliance with our Responsible Disclosure guidelines.

Guidelines

Your research

We ask that anyone doing security testing:

1. Informs us prior by emailing: security@jnctn.nz, so we can take this into account if this triggered our Incident Response Plan
2. makes every effort to avoid interference with or breach of the privacy of individuals, degradation of user experience, disruption to production systems and destruction of data
3. deletes, and does not share, any JNCTN confidential information / personal information they might have obtained
4. uses the identified communication channel to report vulnerability information to us reasonably soon after they find it
5. keeps information about any vulnerability they’ve discovered confidential between themselves and JNCTN until we have had an opportunity to fix the vulnerability.

Our commitment

If you follow these Responsible Disclosure guidelines when reporting an issue to us, we commit to:

1. being as straightforward and communicate as we can with you
2. treating the information you share with us as confidential within JNCTN and our suppliers, unless disclosure is necessary where:
   1. a third party discovers the vulnerability before we have had the opportunity to resolve it
   2. the vulnerability information is used to cause a privacy breach and JNCTN is required to handle the breach in accordance with the Privacy Act 2020
3. not pursuing any legal action related to your research (provided you follow the Responsible Disclosure guidelines, keep our information confidential and cause no damage/disruption to JNCTN services)
4. working with you to understand and resolve the issue quickly (including an initial confirmation of your report within seven days of submission)
5. recognising your contribution with a letter of acknowledgement if you are the first to report the issue and we make a code or configuration change based on the issue.

Out of scope

Services hosted by third-party providers or vendors are excluded from scope.

In the interest of the safety of our users, staff, the internet at large and you, the following test types are excluded from the scope:

1. findings from physical testing such as office access (eg, open doors, tailgating)
2. findings derived primarily from social engineering (eg, phishing, whaling)
3. UI and UX bugs and spelling mistakes
4. network-level Denial of Services (Dos/DDoS) vulnerabilities
5. destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to JNCTN, including any information that may be relevant to you.

How to report a security vulnerability

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing: security@jnctn.nz.