Vulnerability Disclosure Policy

About this Policy

Point Duty is committed to ensuring the security of our products and our customers’ information held within in them. We encourage the Cyber Security Community to report any potential vulnerabilities as soon as they are uncovered. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. We may compensate you for finding any vulnerabilities in our products depending on the severity. We will credit you as the person who discovered the vulnerability unless you direct us otherwise.

Security research within scope of this policy

We encourage you to conduct responsible and good faith security research on those of our products and services to which you have authorised access.

Security research out of scope of this policy

Point Duty and this policy strictly prohibits and does not cover:

• Clickjacking
• Social Engineering or phishing
• Weak or insecure SSL ciphers or certificates
• Denial of Service (DDoS)
• Physical penetration or attacks against Point Duty employees, customers and their employees, partners/resellers and their employees or networks and property belonging to the aforementioned.
• Actions that violate the countries we operate in laws.

How to report a vulnerability

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information), you must stop your test, notify us immediately, and not disclose this data to anyone else.

To report a vulnerability email: support@pointduty.com.au

Please include enough detail so we can reproduce your steps and validate the vulnerability. Feel free to include alternative contact details if you are willing for us to contact you by other means.

If you report a vulnerability under this policy, you must keep it confidential. We will contact you and discuss when it can be disclosed publicly.

Next Steps

We will:

• Respond to your report within 5 business days.
• Keep you informed of our progress.
• Agree upon a date for public disclosure.
• Credit you as the person who discovered the vulnerability unless you tell us not to.

Questions

Questions regarding this policy may be sent to support@pointduty.com.au. We also invite you to contact us with suggestions for improving this policy.

People who have disclosed vulnerabilities to us

Point Duty Would like to thank the below names or aliases of people who have identified and disclosed vulnerabilities to us:

Document change history: