Vulnerability disclosure policy

Introduction

→ About us

simplylogical.net (SL, we, our) is the registered business name of Sharrowlane Pty Ltd (ABN: 84 099 636 709, ACN: 099 636 709), operating from Ngunnawal Country – Unit 11, Level 3, 161 London Circuit Canberra City ACT 2601.

SL is a small, privately owned business that owns, develops, and manages 360 – Evaluation & Reporting Software and other software products (our software) that are licenced to our customers as software as a service (SaaS). SL also develops and manages SaaS products that are owned by third parties.

→ Purpose of this policy

SL is committed to providing high-quality services with confidence, value, and integrity. As such, we are committed to ensuring our software is safe to use and the information we manage is protected at all times.

This policy is the public part of our vulnerability disclosure program (VDP). The program contains internal processes and procedures.

This policy is our public statement of commitment regarding the finding of vulnerabilities and follow-up actions to ensure our software is safe and secure.

The scope of this policy is limited to vulnerabilities in our software. It is not to be confused with our customers’ vulnerability disclosure policies and programs.

Found a vulnerability?

It doesn’t matter who you are or how you found it, if you have found a vulnerability in our software, please email security@simplylogical.net with details so our cyber incident response process can kick-in straight away. We promise to thank you!

Want to do vulnerability research?

We welcome vulnerability research from good faith actors with strict conditions:

  1. The good faith actor must register their intent to perform research and receive authorisation.
  2. The good faith actor must not attempt to access, edit, destroy, or corrupt data belonging to someone else.
  3. The good faith actor must report vulnerabilities to us as soon as possible.
  4. The good faith actor, having found a vulnerability, must not disclose the vulnerability to anyone else until we have had a chance remediate the vulnerability.
  5. The good faith actor, having successfully found a vulnerability, must not disclose any data to anyone else and must destroy all copies of the data such that only the data within our system remains in its original form.

Failure to adhere to the conditions will automatically classify the vulnerability research as being conducted in bad faith.

→ Who should register to perform vulnerability research

We welcome vulnerability research from:

  • Cyber security professionals in Australia.
  • Cyber security students who are studying at an accredited training organisation or university in Australia.

We especially welcome vulnerability research from our customers and post-graduate students.

→ Who should not register to perform vulnerability research

  • Researchers from outside of Australia.
  • Researchers who are solely seeking a monetary reward (we do not pay bug bounties).

→ How to register to perform vulnerability research

To register as a good faith actor, please email security@simplylogical.net with a description of what research you would like to do and why you would like to do it. Registration requires sharing information about yourself to allow us to verify you are a good faith actor.

Authorisation will specify:

  • The details of systems on which research can be conducted (e.g., domain names and IP addresses).
  • Authorised test techniques.
  • Times when research can be conducted.
  • Your obligations should you identify a vulnerability.

What we do already

We employ measures that help us reveal vulnerabilities in our software. The measures apply to both pre-production and production systems and include both systematised and manual processes.

The measures include:

  • Systemic development using frameworks.
  • Automated testing and monitoring using systems that reveal errors.
  • Penetration testing by independent security experts.

Final notes

Security of our systems is paramount. We treat all unsanctioned vulnerability research as hostile but we promise to treat all good faith reports and good faith actors with good faith ourselves!

We look forward to working with you!!