← Back

Responsible Security Disclosure Policy

Working with the Cyber Security Research Community to improve our online security

Introduction

Ocean Bottle Ltd. (OB) is committed to protecting our customers, partners, employees, stakeholders and our wider company. We welcome the opportunity to work with well-intentioned and ethical Cyber Security Researchers to identify and thoroughly investigate and resolve all security issues in our Platforms, Systems or Services, to ensure the protection of the Information and Data entrusted to us.

This policy defines the method and rules of engagement by which OB can work with the Cyber Security Research Community to improve our online security.

Bug Bounty

Currently, we do not offer a paid bug bounty programme. We will, however, welcome feedback from well-intentioned and ethical Cyber Security Researchers who take the time and effort to investigate and report security issues in our Platforms and Services under this policy.

Scope

This policy applies only to OB products and services that have a security.txt file in their root. Subdomains are considered in the scope provided their parent domain is in scope. (i.e. The existence of: https://oceanbottle.co/security.txt means that shop.oceanbottle.co and www.oceanbottle.co are also in scope.)

This policy applies only to original vulnerabilities, previously unreported by an external party and not already discovered by internal vulnerability assessment and other procedures.

The following security issues are not in scope; please don’t report them:

• Volumetric vulnerabilities (I.e. overwhelming our service with a high volume of requests)
• TLS configuration weaknesses (I.e. "weak" cipher suite support, TLS1.0 support, sweet32)
• Non-exploitable vulnerabilities
• Gaps in common "best practice" such as missing security headers (CSP, x-frame-options, x-prevent-xss etc) or suboptimal email-related configuration (SPF, DMARC etc).
• Improper session management/session fixation vulnerabilities.

Responsible Security Disclosure Policy

Cyber Security Researchers shall investigate security issues in OB Platforms and Services only following the requirements set out in this policy. Such research into OB Platforms and Services that does not comply with this policy may be considered malicious activity towards OB and legal action may be taken as necessary.

Anyone investigating security issues in OB Platforms and Services shall investigate security issues in OB Platforms and Services in accordance with the following principles and requirements:

• Respect our Partners, Customers and Employees’ privacy. You must not attempt to access anyone’s data, personal or otherwise. This includes but is not limited to, usernames, passwords and other credentials. If you gain access to anyone’s data, personal or otherwise, you must contact us immediately by emailing responsible.disclosure@oceanbottle.co You must not save, store or transmit this information.
• Act in good faith.  You must report any issues found to us in good faith with no conditions attached by emailing responsible.disclosure@oceanbottle.co
• Work with us. You must promptly report any findings to OB by emailing responsible.disclosure@oceanbottle.co. You must stop your investigations after you have found the first security issue and request permission to continue testing. You must allow us a reasonable amount of time to resolve the security issue before publicly disclosing it.

Anyone investigating security issues in OB Platforms, Systems or Services shall not:

• Violate the privacy rights of OB Staff, Learners, Customers, Stakeholders and Third-Party Partners.
• Break the law or any agreement they have with OB or a third-party;
• Access unnecessary amounts of data. Only access the amount of data necessary to demonstrate the vulnerability to OB;
• Exfiltrate data. Instead, they shall use a Proof of Concept to demonstrate a vulnerability;
• Share or redistribute any data retrieved from OB Platforms, Systems or Services with anyone other than your dedicated OB Security contact or responsible.disclosure@oceanbottle.co
• Disclose any vulnerabilities (or associated details) found in OB Platforms, Systems or Services with anyone other than your dedicated OB Security contact or responsible.disclosure@oceanbottle.co. If the vulnerability is directly relevant to a third party, the vulnerability may be disclosed but how it relates to OB must not be disclosed or referenced.
• Test Platforms, Systems and Services that do not fall within the scope of this policy;
• Test for security issues that do not fall within the scope of this policy;
• Disable security controls for OB Platforms, Systems or Services;
• Alter the configuration of OB Platforms, Systems or Services;
• Attempt to introduce malware or malicious code or programs;
• Disrupt the availability of OB Platforms, Systems or Services to Users (I.e. Denial-of-Service);
• Provide anyone else with access to OB Platforms, Systems or Services;
• Delete, destroy or modify any data on OB Platforms, Systems or Services;
• Perform any form of social engineering against OB Staff, Customers, Stakeholders or Third-Party Partners;
• Send messages from or to any OB Identity that could reasonably be considered to be spam, harassment, non-inclusive or unethical;
• Perform any testing of physical security;
• Perform Brute-Force or any other password attacks against OB users.

Anyone investigating security issues in OB Platforms, Systems or Services shall:

• Use a device running fully licenced software, that is fully patched, has fully encrypted storage and has an Internet security suite installed (Anti-Virus, MMC removal, personal firewall, intrusion prevention).
• Protect any information or data about or retrieved from OB Platforms, Systems or Services from unauthorised access and use.
• Securely delete any information or data about or retrieved from OB Platforms, Systems or Services as soon as it is no longer required.

Reporting a Security Issue

If you have discovered a Cyber Security Issue which you believe falls within the scope of this policy, please email responsible.disclosure@oceanbottle.co with the following information:

• The URL of the OB Platform, System or Service;
• Code version number, if applicable/available.
• Description of the vulnerability
• Steps needed to reproduce the vulnerability, including any proof-of-concept.
• Screenshots
• The IP address from which you performed the testing. This will enable us to view logs related to your testing;
• Details of the browser and Operating System used during testing;
• Clearly identify your traffic (I.e. a unique custom HTTP header such as X-Jisc-CVD:);
• Demonstrate root level access using touch /root/;
• How we should contact you

What to expect

We will aim to respond to your email within 24 hours. Our initial response will include a ticket reference number, which you can quote in any further communications with our Security Team.

Our Security Team will assess the reported vulnerability. They will contact you to verify whether or not the reported vulnerability falls within the scope of this policy and to ask for any additional information as required.

Remediation work will be assigned to the appropriate teams and/or supplier(s) and will be prioritized based on the severity of impact on OB and the likelihood of exploitation.

You are welcome to enquire about the status of the process, but please limit this to no more than once every 14 days. Our Security Team will notify you when the reported vulnerability has been remediated and will ask you to confirm that the solution is adequate.

We will then ask for your feedback on OB’s engagement and vulnerability resolution approach. Your feedback will remain strictly confidential and will only be used to help us improve our engagement, vulnerability resolution approach and, in turn, the security of OB’s Platforms, Systems and Services.

Legalities

This policy is designed to be compatible with common good practice among well-intentioned and ethical Cyber Security Researchers. It does not give you permission to act in any manner that is inconsistent with legal and regulatory compliance or cause OB to be in breach of any of its legal and regulatory obligations, including but not limited to:

• The Computer Misuse Act (1990)
• The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
• The Copyright, Designs and Patents Act (1988)
• ISO/IEC 29417:2018 – Vulnerability Disclosure standard

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritise defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides:

• guidelines on receiving reports about potential vulnerabilities;
• guidelines on disclosing vulnerability remediation information;
• terms and definitions that are specific to vulnerability disclosure;
• an overview of vulnerability disclosure concepts;
• techniques and policy considerations for vulnerability disclosure;
• examples of techniques, policies (Annex A), and communications (Annex B).

Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111.

Back