Introduction
Hyperware Consulting Pty Ltd is committed to maintaining the security and integrity of our systems and the sensitive data we handle. This Vulnerability Disclosure Policy outlines the framework for reporting and addressing vulnerabilities in our systems to enhance our security posture.
Purpose
The purpose of this policy is to provide guidelines for reporting potential security vulnerabilities discovered by employees, contractors, third-party researchers, or the public. The policy ensures that vulnerabilities are addressed promptly and transparently while protecting the interests of all parties involved.
Scope
This policy applies to all systems, applications, networks, and services owned, managed, or operated by Hyperware Consulting Pty Ltd. It includes all employees, contractors, third-party service providers, and external security researchers.
Reporting Vulnerabilities
Contact Information
Vulnerabilities should be reported via email to [email protected]. Reports should include detailed information about the vulnerability, including steps to reproduce it and any potential impact.
Required Information
When reporting a vulnerability, include the following information:
- Description of the vulnerability
- Affected systems, applications, or services
- Steps to reproduce the vulnerability
- Potential impact or risk associated with the vulnerability
- Any available proof-of-concept or exploit code
- Contact information for follow-up (optional)
Guidelines for Researchers
Non-Destructive Testing
Researchers are requested to avoid activities that could harm Hyperware systems, such as data destruction or service disruption.
Confidentiality
Researchers must not publicly disclose any details of the vulnerability until Hyperware Consulting Pty Ltd has had an opportunity to investigate and resolve it.
Legal Considerations
Researchers are expected to act in good faith and comply with all applicable laws and regulations. Unauthorised access to systems or data beyond the scope of testing is prohibited.
Company Commitments
Acknowledgment
Hyperware Consulting Pty Ltd will acknowledge receipt of the vulnerability report within five business days.
Investigation
Hyperware Consulting Pty Ltd will investigate the reported vulnerability and aim to provide an initial assessment within ten business days.
Resolution
Hyperware Consulting Pty Ltd will prioritise and address confirmed vulnerabilities based on their severity and potential impact. Efforts will be made to resolve critical vulnerabilities within 30 days.
Communication
Hyperware Consulting Pty Ltd will keep the reporter informed of the status of the investigation and resolution efforts. A public advisory may be issued for significant vulnerabilities once they are resolved.
Safe Harbor
Hyperware Consulting Pty Ltd commits to not pursuing legal action against researchers who:
- Follow the guidelines set forth in this policy.
- Act in good faith to report security vulnerabilities.
- Do not exploit the vulnerability beyond the minimum extent necessary to demonstrate its existence.
Changes to Policy
This policy may be updated from time to time to address new security challenges or changes in the threat landscape. The latest version of the policy will be available on Hyperware Consulting Pty Ltd website (www.hyperware.com.au).
Contact Information
For any questions or clarifications regarding this policy, please contact [email protected].
Authorisation
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorised. We will work with you to understand and resolve the issue quickly, and Hyperware Consulting Pty Ltd will not recommend or pursue legal action related to your research. This includes hacking or penetration testing activities that are conducted in accordance with this policy and are limited to identifying and reporting vulnerabilities without causing harm, disruption, or unauthorised access to sensitive data. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorisation known.
Test Methods
The following test methods are not authorised:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
- Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing.
Scope
This policy applies to the following systems and services:
- *.hyperware.com.au
- Any other subdomain of hyperware.com.au
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorised for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at [email protected] before starting your research.
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
Reporting a Vulnerability
We accept vulnerability reports at [email protected] (link sends e-mail). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. We will not share your name or contact information without express permission.
For particularly sensitive information, submit through our HTTPS web form.
What we would like to see from you
To help us triage and prioritise submissions, we recommend that your reports:
- Describe the location where the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
Questions
Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.
By adhering to this Vulnerability Disclosure Policy, Hyperware Consulting Pty Ltd aims to foster a collaborative approach to security, encouraging responsible disclosure of vulnerabilities to protect our systems and the sensitive data of our clients.