Skip to main content
Back to Home

Responsible Disclosure

Overview

Ransom-ISAC takes the security of its systems and platforms seriously. We welcome responsible reporting of security vulnerabilities from the security research community and the public.

This policy sets out how to report a vulnerability and what you can expect from us in return.

Scope

This policy covers vulnerabilities in systems, applications, and infrastructure owned and operated by Ransom-ISAC. It does not extend to third-party services, platforms, or software that we may use but do not control.

Reporting a Vulnerability

If you believe you have identified a security vulnerability, please report it to us as soon as reasonably possible. Reports should include sufficient detail for us to understand and reproduce the issue, including the affected system or URL, a description of the vulnerability, and any steps to reproduce it.

We ask that you do not publicly disclose details of the vulnerability until we have had a reasonable opportunity to investigate and address it.

What We Ask

When conducting security research and reporting vulnerabilities, we ask that you act in good faith and avoid actions that could cause harm, disruption, or data loss to our systems, our members, or any third parties. Specifically, we ask that you do not access, modify, or delete data belonging to others, do not disrupt or degrade our services, and do not use the vulnerability for any purpose other than reporting it to us.

Our Commitment

We will acknowledge receipt of your report within a reasonable timeframe and will work to assess and address confirmed vulnerabilities. We will not pursue legal action against individuals who report vulnerabilities in good faith and in accordance with this policy.

We may not be able to provide detailed updates on the status of every report, but we appreciate and take seriously all submissions made in the spirit of improving our security.

Safe Harbour

Ransom-ISAC considers security research conducted in accordance with this policy to be authorised. We will not pursue civil or criminal action against researchers who act in good faith and comply with the guidelines set out above.

This safe harbour does not extend to actions that violate applicable law, affect systems not owned by Ransom-ISAC, or cause harm to our members, users, or third parties.

Recognition

We may, at our discretion, acknowledge individuals who report valid vulnerabilities. We do not currently operate a bug bounty or financial reward programme.

To report a vulnerability, contact us at [email protected].