Vulnerability Disclosure Policy

Introduction

Hyperware Consulting Pty Ltd is committed to maintaining the security and integrity of our systems and the sensitive data we handle. This Vulnerability Disclosure Policy outlines the framework for reporting and addressing vulnerabilities in our systems to enhance our security posture.

Purpose

The purpose of this policy is to provide guidelines for reporting potential security vulnerabilities discovered by employees, contractors, third-party researchers, or the public. The policy ensures that vulnerabilities are addressed promptly and transparently while protecting the interests of all parties involved.

Scope

This policy applies to all systems, applications, networks, and services owned, managed, or operated by Hyperware Consulting Pty Ltd. It includes all employees, contractors, third-party service providers, and external security researchers.

Reporting Vulnerabilities

Contact Information

Vulnerabilities should be reported via email to [email protected]. Reports should include detailed information about the vulnerability, including steps to reproduce it and any potential impact.

Required Information

When reporting a vulnerability, include the following information:

Description of the vulnerability
Affected systems, applications, or services
Steps to reproduce the vulnerability
Potential impact or risk associated with the vulnerability
Any available proof-of-concept or exploit code
Contact information for follow-up (optional)

Guidelines for Researchers

Non-Destructive Testing

Researchers are requested to avoid activities that could harm Hyperware systems, such as data destruction or service disruption.

Confidentiality

Researchers must not publicly disclose any details of the vulnerability until Hyperware Consulting Pty Ltd has had an opportunity to investigate and resolve it.

Legal Considerations

Researchers are expected to act in good faith and comply with all applicable laws and regulations. Unauthorised access to systems or data beyond the scope of testing is prohibited.

Company Commitments

Acknowledgment

Hyperware Consulting Pty Ltd will acknowledge receipt of the vulnerability report within five business days.

Investigation

Hyperware Consulting Pty Ltd will investigate the reported vulnerability and aim to provide an initial assessment within ten business days.

Resolution

Hyperware Consulting Pty Ltd will prioritise and address confirmed vulnerabilities based on their severity and potential impact. Efforts will be made to resolve critical vulnerabilities within 30 days.

Communication

Hyperware Consulting Pty Ltd will keep the reporter informed of the status of the investigation and resolution efforts. A public advisory may be issued for significant vulnerabilities once they are resolved.

Safe Harbor

Hyperware Consulting Pty Ltd commits to not pursuing legal action against researchers who:

Follow the guidelines set forth in this policy.
Act in good faith to report security vulnerabilities.
Do not exploit the vulnerability beyond the minimum extent necessary to demonstrate its existence.

Changes to Policy

This policy may be updated from time to time to address new security challenges or changes in the threat landscape. The latest version of the policy will be available on Hyperware Consulting Pty Ltd website (www.hyperware.com.au).

Contact Information

For any questions or clarifications regarding this policy, please contact [email protected].

Authorisation

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorised. We will work with you to understand and resolve the issue quickly, and Hyperware Consulting Pty Ltd will not recommend or pursue legal action related to your research. This includes hacking or penetration testing activities that are conducted in accordance with this policy and are limited to identifying and reporting vulnerabilities without causing harm, disruption, or unauthorised access to sensitive data. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorisation known.

Test Methods

The following test methods are not authorised:

Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing.

Scope

This policy applies to the following systems and services:

*.hyperware.com.au
Any other subdomain of hyperware.com.au

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorised for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at [email protected] before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

Reporting a Vulnerability

We accept vulnerability reports at [email protected] (link sends e-mail). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. We will not share your name or contact information without express permission.

For particularly sensitive information, submit through our HTTPS web form.

What we would like to see from you

To help us triage and prioritise submissions, we recommend that your reports:

Describe the location where the vulnerability was discovered and the potential impact of exploitation.
Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
Be in English, if possible.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

Within 3 business days, we will acknowledge that your report has been received.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.

Questions

Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.

By adhering to this Vulnerability Disclosure Policy, Hyperware Consulting Pty Ltd aims to foster a collaborative approach to security, encouraging responsible disclosure of vulnerabilities to protect our systems and the sensitive data of our clients.

How Can We Help You?

Other Case Studies

Australian Government – Lotus Forms Project

Multi-National – Web Based .Net Opportunity Analysis solution

Victorian Government Staff Performance (PPD Online)

Victorian Government – Interactive Documentation Access

Leading Australian Retailer – Retail Operations System