EURid Responsible Disclosure Policy
We take the security of our systems and services seriously to ensure the protection and privacy of our users and customers and the stability and availability of our services. Nevertheless, if you stumble upon an issue you consider a vulnerability, let us know as soon as possible following these guidelines.
We require that you:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Have no criminal or malicious intent;
- Perform research only within the scope set out below;
- Use the identified communication channels to report information vulnerability to us;
- Keep information about any vulnerability you’ve discovered confidential between yourself and EURid until we’ve had 60 days to resolve the issue;
- Do not place malware or any other software on our systems;
- Do not alter the configuration of our systems;
- Do not copy, delete or modify data on our systems and
- Do not share access to vulnerable systems with others or repeatedly gain access to vulnerable systems;
- Remove sensitive material from your systems once the issue has been resolved.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursuing or support any legal action related to your findings and actions when our guidelines have been observed;
- Confirming reception within a working day;
- Working with you to understand and resolve the issue quickly;
- Keeping our communication personal and confidential;
- Not divulging your personal information to third parties unless obliged by law;
- Fixing the issue as soon as possible and certainly within 60 working days after reception of the issue;
- Discussing with you what and how related information can be disclosed after the issue has been fixed.
- All sites and services under the following domain names:
- Security issues related to the yadifa name server project.
- Our authoritative name servers as displayed in the NS resource record set of the above domains and the .eu or .ею top level domain.
- Systems and services in our autonomous numbers:
Out of scope
Any service or web site linked to domain names in the .eu name space, which are not held by EURid as shown in the WHOIS. See http://www.whois.eu/ to determine the registrant of a domain name.
In the interest of the safety of our users, staff, the Internet at large and yourself, the following is out of scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS) vulnerabilities
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by encrypted email to security [dot] office [at] eurid [dot] eu. Alternatively you can use our secure transfer platform https://cs.eurid.eu. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
- How to contact you.
Our PGP for Responsible Disclosure can be found here.
We reserve the right to take legal action and report your activities to authorities when this policy is not followed.