VULNERABILITY RESPONSIBLE DISCLOSURE POLICY (VDP) France Cyber Maritime encourages the responsible disclosure of security vulnerabilities concerning its services and website. In order to ease the disclosure of security vulnerabilities, we agree that if, in our sole discretion, we conclude that a disclosure meets all of the guidelines of our VDP, we will not bring any private or criminal legal action against the disclosing party. VDP PROGRAM POLICY AND TERMS We recognize the important role that security researchers and our user community play in helping to keep Internet secure. If you discover a site or product vulnerability, please notify us using the guidelines below. Not respecting those guidelines will exclude any enquiry or report. PROGRAM TERMS Your participation in this VDP is voluntary and subject to the terms and conditions set forth on this page ("PROGRAM TERMS"). By submitting a site or product vulnerability to us, you acknowledge that you have read and agreed to these PROGRAM TERMS. To encourage vulnerability responsible disclosures, we commit that, if we conclude, in our sole and only discretion, that a disclosure respects and meets all the guidelines of these PROGRAM TERMS and Privacy Policy, we will not bring a private action against you or refer a matter for public inquiry. As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability. THE FOLLOWING .eu DOMAIN IN SCOPE: www.france-cyber-maritime.eu Content Management System Domains not listed above are not in scope. Any attempt on any unlisted information system or domain will be considered as aggressive. We will make a best effort to adhere to the following response targets: Type of Response Business days First Response 2 working days Time to Triage 10 working days Time to Resolution depends on severity and complexity VDP REQUIREMENTS To comply with VDP, you must make a prior contact with us through our contact form and not: - Be in violation of any international, european, national, state, or local law or regulation; - Be employed by us or by any of our constituency; - Be an immediate family member of our non profit organization or any of its constituencies; - Use a false identity; - Be a professional cybersecurity company not mandated by us; - Be less than 16 years of age. If you are at least 16 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating to the VDP. If we discover that you meet any of the criteria above, we cannot apply to our VDP program. DISCLOSURE GUIDELINES By providing a Submission or agreeing to the PROGRAM TERMS, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without our prior written approval. Failure to comply with the PROGRAM TERMS will result in immediate disqualification from our VDP. QUALIFYING VULNERABILITIES We will accept a report of any vulnerability that substantially affects the confidentiality or integrity of our services. Eligible vulnerabilities include, but are not limited to: - Authentication or authorization flaws, including insecure direct object references and authentication bypass - Server-side or remote code execution (RCE) - Injection vulnerabilities, including SQL and XML injection - Directory Traversal - Privilege Escalation - Disclosure of actual sensitive or personally identifiable information - Significant security misconfiguration with a verifiable vulnerability - Exposed system credentials, disclosed by we or its employees, that pose a valid risk to an in scope asset NON-QUALIFYING VULNERABILITIES: Any domain not listed in policy scope is out of scope for the purposes of the VDP, as are all third-party programs and plug-ins. The following actions do not qualify for the VDP and should not be tested by researchers: - Reports that involve a secondary user account where an existing business relationship is being leveraged and the impact is limited solely to the parent account; - Username enumeration on Internet-facing systems (i.e. using server responses to determine whether a given account exists); - Scanner output or scanner-generated reports, or scanner-based discovery, including any automated or active exploit tool; - Man-in-the-Middle attacks; - Physical attacks against our property or IT/OT systems; - Cross Site Scripting (XSS); - Cross Site Request Forgery (CSRF); - Click-jacking; - Vulnerabilities involving stolen credentials or physical access to a device; - Phishing attacks; - Social engineering attacks, including those targeting or impersonating any of our organization employees by any mean (social media, personal domains, etc.); - Open or misconfigured redirect, unless it results in the loss of sensitive data; - CRIME/BEAST, and any SSL/TLS-related attacks or report; - Logout CSRF; - Banner, version, files or plugin list disclosures; - Missing SPF records; - Directory listing (unless sensitive data can be found); - DDoS and DoS, brute force, user enumeration or DDoS attacks; - Blackhat SEO techniques; - Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact; - Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit); - Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset; - Any bug that relies upon an outdated browser; Infrastructure vulnerabilities, including: - Issues related to SSL/TLS certificates and servers; - Issues related to database servers; - DNS configuration issues; - Server configuration issues (e.g. open ports, TLS versions, etc.); - Bugs requiring exceedingly unlikely user interaction; - Insecure password complexity requirements; - Email verification/validation issues; - Testing infrastructures; - Quality and business logic bugs which do not pose real risk and do not impact business and customers in a way which could lead to unauthorised access to data or systems, also when there is no possibility to take advantage of the bug to cause some sort of damage to company systems or data. BUG SUBMISSIONS REQUIREMENTS - Required information For all submissions, please include: - Full description of the vulnerability being reported, including the exploitability and impact; - Evidence and explanation of all steps required to reproduce the submission, which may include: - Videos or step by step screenshots; - Exploit code; - Traffic logs; - Web/API requests and responses; - Email address or user ID of any test accounts; - IP address used during testing; - Timestamps, including time zone; - Full server request and responses; - Filenames of any uploaded files, which you must postfix with your name and the timestamp. Any data that was accessed, either deliberately or inadvertently. The following actions are authorized within the VDP: - Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig), - Uploading a file that outputs the result of a hard-coded benign command. The following actions are prohibited without prior agreement: - Uploading files that allow arbitrary commands (i.e. a webshell); - Modifying any files or data, including permissions; - Deleting any files or data; - Interrupting normal operations (e.g. triggering a reboot); - Creating and maintaining a persistent connection to the server; - Intentionally viewing any files or data beyond what is needed to prove the vulnerability; - Failing to disclose any actions taken or applicable required information; - Personal account renaming or password change or user creation/deletion. HALL OF FAME AND / OR BUG BOUNTY PAYMENTS You may be eligible to receive a monetary reward ("Bounty Payment") if: - you are the first person to submit a site or product vulnerability; - that vulnerability is determined to by a valid security issue by us; and - you have complied with all PROGRAM TERMS. For lower vulnerabilities, we may recognize your work and encourage you through an inclusion on our "Hall of fame". However, note that non-qualiyfing vulnerabilities should not be searched for, and should not be concerned by such award, unless we decide to. Bounty Payments, if any, will be determined by us, and at our sole discretion. In no event shall we be obligated, threatened, harrassed, intimidated, ransomed or in any way to pay or owe you a bounty for any submission or an addition on our hall of fame. All Bounty Payments will be made in EUROS (EUR). You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship. We will determine all Bounty Payments based on the risk and impact of the vulnerability. We retain the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by us are final and not negociable. Bounty Payment ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to us and when determined to be a valid security issue by us. OWNERSHIP OF SUBMISSIONS As a condition of participation to our VDP, you hereby grant us a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to us in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to us. In no event shall we be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as us complies with the terms of participation stated herein. TERMINATION In the event - you breach any of these PROGRAM TERMS or the terms and conditions of the VDP; - you do not respect the confidentiality related to the reporting; - disclose any information or private exchange through, but not limited to, social medias; - attempt to or actually threaten, blackmail, harrass or ransom us; - or we determine, in our sole discretion, that your continued participation in the Bug Bounty Program could adversely impact us (including, but not limited to, presenting any threat to our systems, security, finances and/or reputation), we may immediately terminate your participation to our VDP and disqualify you from it. Please see our recommendations on the proper procedures for testing our applications. CONFIDENTIALITY Any information you receive or collect about us, us employees or any us customer through the VDP ("Confidential Information") must be kept confidential and only used in connection with our VDP. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching our sites, without our prior written consent. Any disclosure of Confidential Information outside of this requirement will result in immediate removal from the Program and Hall of Fame agreements. INDEMNIFICATION In addition to any obligation you may have under the our Agreements, you agree to defend, indemnify and hold us, our constituencies and the officers, directors, agents, employees and suppliers, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these PROGRAM TERMS and/or your improper use of our VDP. CHANGES TO PROGRAM TERMS The VDP, including its policies, is subject to change or cancellation by us at any time, without notice. As such, we may amend these PROGRAM TERMS and/or its policies at any time by posting a revised version on our website. By continuing to participate in the VDP after we post any such changes, you accept the PROGRAM TERMS, as modified.