Bug报告
ISACA is committed to ensuring the security of its information systems and member data by taking reasonable measures to ensure the confidentiality, 完整性, and availability of ISACA systems in order to provide the best possible digital experience. We also firmly believe that empowering our users to provide their input strengthens that experience and builds trust in the IS/IT community.
To that end, ISACA is proud to introduce a Bug Bounty program! ISACA is welcoming you to the opportunity to spot and report flaws, vulnerabilities and other issues that may interfere with site functions and other digital assets—and prepared to reward you for your vigilance with ISACA swag! Simply complete the form below to report what you find.
注意: Please enable Third Party Cookies from 浏览r settings if you don't see the submission form, 或者在普通窗口中查看此页.
什么是漏洞?
A vulnerability is a “weakness in an information system, 系统安全程序, 内部控制, or implementation that could be exploited or triggered by a threat source.”
ISACA’s Vulnerability Disclosure Policy (VDP) has been setup to accommodate good-faith research that conforms to ISACA guidelines for consideration as authorized research. ISACA will work resolve the vulnerability identified when there is authorized research under this policy.
如何报告错误?
We encourage security researchers to report potential vulnerabilities in ISACA systems by completing the form above. 您也可以通过电子邮件与我们联系 BugReport@ratherget.com 如有任何问题或意见.
授权:
ISACA welcomes the opportunity to hear from good faith security researchers, who conduct security research under these acceptable VDP guidelines.
Good faith research is not considered a security breach if it follows the guidelines below.
These Guidelines Require that You/a Researcher:
- Access an ISACA information system responsibly in a way that follows this VDP.
- Report a vulnerability that you discover by following the instructions.
- Make every effort to prevent privacy violations, 用户体验的性能下降, 破坏我们的生产系统, and destruction or manipulation of any data on ISACA systems.
- Limit the use of discovered exploit(s) to the extent necessary to confirm a vulnerability’s presence.
- Not to use an exploit to compromise or exfiltrate any data, obtain command line access and/or persistence, or use the exploit to laterally traverse to other ISACA systems.
- Not to use ISACA as a launch pad to attempt intrusions on non-ISACA systems.
- Implant any external code, or data even if considered non-malicious, on ISACA systems.
- Do not attempt to “phish” or use other social-engineering methods on ISACA personnel.
- Provide ISACA a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit repetitive reports or high volume of low-quality vulnerability reports.
范围:
The ISACA VDP program only applies to the following target domains:
*.ratherget.com
*.cmmiinstitute.com
Subdomains, domains and third-party integrations NOT in scope include:
任何开发.*.*、舞台.*.*, UAT.*.*和SIT.*.*
工作.ratherget.com
参与.ratherget.com
我们期望:
In order to help us triage and prioritize submissions, we require that your submission:
- Describe in as much detail how the vulnerability was discovered and the potential impact of exploitation.
- Instructions to reproduce the vulnerability. This should include step-by-step instructions or screenshots.
- 所有报告必须使用英语.
限制:
If you established that a vulnerability or security weakness exists or encounter any sensitive data or data belonging to individuals with their personal or financial information, contract information or proprietary information which might be a trade secret, 你必须停止测试, 立即通知ISACA, 并且不向任何人透露这些数据. ISACA will not consider this as authorized research and may report it to applicable authorities.
奖项:
ISACA, 自行决定, may decide to “reward” a researcher in ways it deems commensurate with ISACA’s determination of the value of the received vulnerability report.
The reward can be in any form as decided by ISACA and may include cash, company swag or gifts. 所有奖励以不同城市为准, 状态, country and other laws and regulations that are applicable to ISACA and may not be awarded at all under certain conditions.
Thank you for contributing to Information security program responsibly!