Vulnerability Disclosure
The Personnel Group is committed to protecting the privacy of our clients information. The information we collect is used to facilitate services that we provide to you. We value your privacy and will take all necessary steps to protect it.
Purpose
The Personnel Group actively seeks assistance in identifying and reporting security vulnerabilities within our website and associated online platforms.
This policy applies to any vulnerabilities you are considering reporting to The Personnel Group.
We value those who take the time and effort to report security vulnerabilities, however do not offer monetary or any other rewards for vulnerability disclosure.
This Policy is designed to be compatible with common vulnerability disclosure good practice. It is not give permission to act in any manner that is inconsistent with the law, or which might cause the Organisation or partner organisations to be in breach of any legal obligations.
Scope
This site may from time to time contain links to other websites. The Personnel Group is not responsible for the Privacy Policy or the content of any of those websites.
Integrity of Reporting
As a person reporting a vulnerability, you agree to and must not:
- Break any applicable law or regulation
- Access unnecessary, excessive or significant amounts of data
- Modify data in the Organisation’s systems or services
- Use high-intensity invasive or destructive scanning tools to find vulnerabilities
- Attempt or report any form of denial of service, eg. Overwhelming a service with a high volume of requests.
- Disrupt the Organisation’s services or systems.
- Report non-exploitable vulnerabilities, or reports detailing TLS configuration weaknesses.
- Social engineer, ‘phish’ or physically attack the Organisation’s staff or infrastructure.
Reporting
Please submit your report to us by using the report form below.
Your report should include details of:
- The website, IP address or page where the vulnerability can be observed
- A brief description of the type of vulnerability, eg. “XSS vulnerability”
- Steps undertaken to reproduce. These should be a benign, non-destructive proof of concept. This helps to ensure that the report can be triages quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
Responsibilities of Reporting
A reporting person must always:
- Comply with data protection rules and must not violate the privacy of the Organisation’s users, staff, contractors, services or sstems. You must not, for example, share, redistribute or fail to properly secure data retrived from the systems or services.
- Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
Organisational Response to Vulnerability reports
The Personnel Group will respond to any reports within 48 hours. Following the initial triaging of the breach, The Personnel Group will develop a mediation and mitigation plan with actions and responsibilities identified within 48 hours. The Head of IT shall assume responsibility for the Organisation’s response implementation plan. All reports and implementation plans will be documented in the Organisation’s management meeting minutes.
Review
This policy shall be reviewed at least annually.