https://www.hackerone.com/ en https://www.hackerone.com/node/2378 Information Security Manual (ISM) h1_admin Mon, 07/29/2024 - 16:31 Jurisdiction New Zealand Region Asia/Pacific Requirement Recommended Organization Government Communications Security Bureau Provision Objective 5.9 Applies to New Zealand Government departments, agencies and organizations; Crown entities, local government and private sector organizations Date September 2024 Description Objective 5.9.1. Agencies implement a Vulnerability Disclosure Policy (VDP) to enable members of the public to report vulnerabilities in the agency’s public-facing systems and applications and receive feedback on such reports.  Objective 5.9.20. A VDP will typically include: A scoping statement setting out which systems the policy applies to (e.g. the agency’s website and other public-facing systems); Details of how finders can contact the agency’s security team (including any public keys for encrypting reports); Permitted activities; Acknowledgement of reports and a response time (typically 60 or 90 days) for corrections, adjustments, or other “fixes”; Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, to let the organisation fix the issues before it becomes public; Illegal activities are not permitted (specifying any relevant legislation, such as the Crimes Act, the Privacy Act etc.); and Either a statement that bug bounties will not be paid for any discoveries, or information about the agency’s bug bounty programme. Version 3.8 of this manual was released in September 2024.  https://nzism.gcsb.govt.nz/ism-document/#Section-12947 ]]> Mon, 29 Jul 2024 21:31:47 +0000 h1_admin 2378 at https://www.hackerone.com