-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e6c95ad
commit 77c234e
Showing
1 changed file
with
33 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,63 +1,42 @@ | ||
# EU Digital Identity Wallet Vulnerability Disclosure Policy (VDP) | ||
|
||
At the European Commission, we treat the security of our Communication and Information Systems as a | ||
top priority, in line with Commission Decision EC 2017/46. However, vulnerabilities can never be | ||
completely eliminated, despite all efforts. If exploited, such vulnerabilities can harm the | ||
confidentiality, integrity or availability of the Commission's systems and of the information | ||
processed therein. To identify and remediate vulnerabilities as soon as possible, we value the input | ||
of external entities acting in good faith, and we encourage responsible vulnerability research and | ||
disclosure. This document sets out our definition of good faith in the context of finding and | ||
reporting vulnerabilities, as well as what you can expect from us in return. | ||
At the European Commission, we treat the security of our Communication and Information Systems as a top priority, in line with Commission Decision EC 2017/46. However, vulnerabilities can never be completely eliminated, despite all efforts. If exploited, such vulnerabilities can harm the confidentiality, integrity or availability of the Commission's systems and of the information processed therein. To identify and remediate vulnerabilities as soon as possible, we value the input of external entities acting in good faith, and we encourage responsible vulnerability research and disclosure. This document sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return. | ||
|
||
## Scope | ||
|
||
- Architecture and Reference Framework | ||
- Source code in [eu-digital-identity-wallet](https://github.com/eu-digital-identity-wallet) public | ||
repositories | ||
|
||
## If you have identified a vulnerability, please do the following: | ||
|
||
* E-mail your findings to EC-VULNERABILITY-DISCLOSURE@ec.europa.eu, specifying whether or not you | ||
agree to your name or pseudonym being made publicly available as the discoverer of the problem. | ||
* Encrypt your findings using | ||
our [PGP key](https://sks.hnet.se/pks/lookup?search=EC-VULNERABILITY-DISCLOSURE%40ec.europa.eu&fingerprint=on&op=index) | ||
to prevent this critical information from falling into the wrong hands. | ||
* Provide us sufficient information to reproduce the problem so that we can resolve it as quickly as | ||
possible. Usually, the IP address or the URL of the affected system and a description of the | ||
vulnerability will be sufficient, but complex vulnerabilities may require further explanation in | ||
terms of technical information or potential proof-of-concept code. | ||
* Provide your report in English, preferably, or in any other official language of the European | ||
Union. | ||
* Inform us if you agree to make your name/pseudonym publicly available as the discoverer of the | ||
vulnerability. | ||
- Source code in [eu-digital-identity-wallet](https://github.com/eu-digital-identity-wallet) public repositories | ||
|
||
## Please do not do the following | ||
## If you have identified a vulnerability, please do the following | ||
|
||
- E-mail your findings to <EC-VULNERABILITY-DISCLOSURE@ec.europa.eu>, specifying whether or not you agree to your name or pseudonym being made publicly available as the discoverer of the problem. | ||
- Encrypt your findings using our [PGP key](https://pgp.mit.edu/pks/lookup?op=get&search=0x6773AACDF09F6628) to prevent this critical information from falling into the wrong hands. | ||
- Provide us with sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation in terms of technical information or potential proof-of-concept code. | ||
- Provide your report in English, preferably, or in any other official language of the European Union. | ||
- Inform us if you agree to make your name/pseudonym publicly available as the discoverer of the vulnerability. | ||
|
||
* Do not take advantage of the vulnerability or problem you have discovered, for example by | ||
downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying | ||
other people’s data. | ||
* Do not reveal any data downloaded during the discovery to any other parties. | ||
* Do not reveal the problem to others until it has been resolved. | ||
* Do not perform the following actions: | ||
* Placing malware (virus, worm, Trojan horse, etc.) within the system. | ||
* Reading, copying, modifying or deleting data from the system. | ||
* Making changes to the system. | ||
* Repeatedly accessing the system or sharing access with others. | ||
* Using any access obtained to attempt to access other systems. | ||
* Changing access rights for any other users. | ||
* Using automated scanning tools. | ||
* Using the so-called "brute force" of access to the system. | ||
* Using denial-of-service or social engineering (phishing, vishing, spam etc.). | ||
* Do not use attacks on physical security. | ||
|
||
## What we promise: | ||
|
||
* We will respond to your report within three business days with our evaluation of the report. | ||
* We will handle your report with strict confidentiality. | ||
* Where possible, we will inform you when the vulnerability has been remedied. | ||
* We will process the personal data that you provide (such as your e-mail address and name) in | ||
accordance with the applicable data protection legislation and will not pass on your personal | ||
details to third parties without your permission. | ||
* In the public information concerning the problem reported, we will publish your name as the | ||
discoverer of the problem if you have agreed to this in your initial e-mail | ||
## Please do not do the following | ||
|
||
- Do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying other people’s data. | ||
- Do not reveal any data downloaded during the discovery to any other parties. | ||
- Do not reveal the problem to others until it has been resolved. | ||
- Do not perform the following actions: | ||
- Placing malware (virus, worm, Trojan horse, etc.) within the system. | ||
- Reading, copying, modifying or deleting data from the system. | ||
- Making changes to the system. | ||
- Repeatedly accessing the system or sharing access with others. | ||
- Using any access obtained to attempt to access other systems. | ||
- Changing access rights for any other users. | ||
- Using automated scanning tools. | ||
- Using the so-called "brute force" of access to the system. | ||
- Using denial-of-service or social engineering (phishing, vishing, spam, etc.). | ||
- Do not use attacks on physical security. | ||
|
||
## What we promise | ||
|
||
- We will respond to your report within three business days with our evaluation of the report. | ||
|
||
- We will handle your report with strict confidentiality. | ||
- Where possible, we will inform you when the vulnerability has been remedied. | ||
- We will process the personal data that you provide (such as your e-mail address and name) in accordance with the applicable data protection legislation and will not pass on your personal details to third parties without your permission. | ||
- In the public information concerning the problem reported, we will publish your name as the discoverer of the problem if you have agreed to this in your initial e-mail |