Security Vulnerability Disclosure Policy

Published: October 11, 2023

At Arcitecta, we recognise the importance of security researchers in keeping our products and services secure. We are committed to addressing and resolving security issues in a timely manner. This policy sets forth our guidelines for sharing your findings with us.

Reporting a Vulnerability

If you believe you've found a security vulnerability in one of our products, please email us at vulnerabilitydisclosure@arcitecta.com.

Please include the following:

• Date the vulnerability was observed.

• Location of the vulnerability (e.g. URL, domain etc).

• Detailed description of the vulnerability.

• Steps to reproduce the issue, including tools or scripts used.

• Your contact information.

Responsible Disclosure Guidelines

We ask that you:

• Do not disclose the vulnerability to the public until we've addressed it.

• Avoid violating privacy, disrupting our services, or damaging user data.

• Use the provided contact method to report vulnerabilities.

What the policy covers

Our security vulnerability disclosure policy covers:

• any product or service wholly developed by Arcitecta to which you have lawful access

• any product or service we provide to partners to which you have lawful access

Under this policy, you must not:

• disclose vulnerability information publicly

• engage in unlawful or unethical behaviour

• reverse engineer Arcitecta products or systems

• make unavailable, degrade, or affect the availability of Arictecta systems and/or products including denial of service (DoS) attacks.

• introduce malicious software or similar harmful software that could impact our services, products or customers or any other party

• attempt to access accounts or data that does not belong to you.

• modify, destroy, exfiltrate, or retain data stored in Arictecta systems or products

• conducting social engineering (including phishing) of Arictecta employees, contractors, customers, or any other party.

• engage in unlawful or unethical behaviour

• submit false, misleading or dangerous information to Arictecta systems

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

• weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates

• misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)

• missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy)

• theoretical cross-site request forgery and cross-site framing attacks.

You agree that we may use any information or material you disclose to us for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting.

Our Commitment

Upon receiving your report, we commit to:

• Acknowledge receipt of your report within 3 business days.

• Confirm the existence of the vulnerability within 7 business days.

• Address the vulnerability in a timely manner and communicate our progress.

• Publicly acknowledge your responsible disclosure, if you wish.

Safe Harbour

Arcitecta will not pursue legal action against individuals who adhere to this policy, make a good faith effort to follow responsible disclosure principles, and provide us with the opportunity to remediate any reported issues.

Rewards and Recognition

Please note that we do not provide any form of compensation (including but not limited to monetary compensation or financial benefits) to individuals or organisations for identifying potential or confirmed security vulnerabilities. Any requests for any form of compensation will be deemed a violation of this Responsible Disclosure Program.

Australian Law

This policy is governed by the laws of Australia. Any dispute arising under this policy will be subject to the exclusive jurisdiction of the courts of Australia.

Updates to this Policy

We may revise this policy from time to time. The most current version of the policy will always be available on our website.

Hall of Fame

Listed below are people or groups who have disclosed information to usdisclosed vulnerabilities, a name or alias is included if consent has been received from the person/s who have identified it:

• none recorded at this time