Coordinated Vulnerability Disclosure
Report and Policy
Report a vulnerability
If you find a weak spot in one of these systems or products, ICT Group would like to hear from you as soon as possible. This enables us to act swifty and take additional measures to improve security as stated in our Coordinated Vulnerability Disclosure policy. Complete the form below to submit a CVD report.
Report vulnerability (CVD)
Coordinated Vulnerability Disclosure policy
Coordinated vulnerability disclosure procedure
The purpose of the Coordinated vulnerability disclosure procedure is to establish the policy and guidance focusing on Coordinated Vulnerability Disclosure (CVD). By doing so we provide clarity on the actions to take when ICT Group employees or people outside of ICT Group discover security flaws within our systems, networks and products.
Coordinated vulnerability disclosure rules
To enhanced ICT Group’s security posture, we request people to:
- Submit their findings through the 'Coordinated Vulnerability Disclosure form' listed above.
- Provide us with adequate information to enable us to investigate the vulnerability properly. We need to be able to efficiently reproduce your actions; at least an IP/URL and a description of the vulnerability.
- Provide us with enough information to contact them; i.e., telephone number or email address (external reporters) so we can contact the reporter when we have any questions.
- Refrain from sharing the observations with others until the vulnerability has been solved.
- Act responsibly with this knowledge on the vulnerability; do not perform any actions that go beyond what is necessary to demonstrate the flaw.
Refraining from:
- Use denial-of-service, social engineering or any other disruption of our services.
- Copy, change or delete our data.
- Make changes to a system.
- Install malware.
- Use “brute force” techniques.
What can be expected from ICT Group:
If you comply with the conditions above, following your report ICT Group will not pursue legal action towards you;
- ICT Group will confirm the receipt of your report within 72 hours.
- You will receive our technical appraisal of your report within 30 days and subsequently instruct you on the ‘black out period’ required to deal with the vulnerability if required.
- ICT Group will handle your report as ‘confidential’, respecting your privacy unless we are legally required to disclose information to authorities.
- An assessment of your report will be done by ICT Group technical staff, considering the potential impact. Their assessment is not open to discussion. When the assessment deems the disclosure valid, ICT Group offers you as token of appreciation for your efforts in working with us to improve cybersecurity, to put your name on the “Coordinated vulnerability disclosure Wall of Fame”. Duplicate disclosures will not be assessed.