Responsible Disclosure

ICHEC considers the security our ICT systems to be of the utmost importance. If you discover a security vulnerability on one of our systems, you can report these vulnerabilities to us. The responsible disclosure of security vulnerabilities helps us protect the security and privacy of all our users.

Collaboration

If you have found a vulnerability, we would like to hear about it so that we can take appropriate measures as quickly as possible. We really appreciate your time and effort in responsibly disclosing a vulnerability.

Not an invitation to actively scan

Our responsible disclosure process is however not an invitation to actively scan our network to discover weak points. ICHEC continues to monitor its network and we are likely to pick up scans, which our Systems Team will investigate.

Reporting a Security Vulnerability

• Please email your findings as soon as possible to responsible-disclosure@ichec.ie.
• Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation. 
• Do include your contact details (email address or phone number) to allow us to contact you.
• Be responsible with your knowledge about the vulnerability. Do not abuse the found vulnerability, for example by:
  • downloading more data than necessary
  • changing or removing data
• Be extra cautious with personal data.
• Do not share the vulnerability with others until it is resolved.
• Do not test the physical security or third-party application, social engineering techniques (distributed) denial-of-service, malware, or spam.

How we will deal with your report

• We will send you confirmation of receiving your report within 1 working day.
• We will respond to your report within 5 working days. This response should contain our assessment of the report and an expected resolution date.
• We will keep your report anonymous and will not pass on your personal details to third parties without your permission, unless we are required to do so by law or by a court order.
• We will keep you informed of the progress towards resolving the problem.
• If you wish, we can mention your name as a vulnerability discoverer in the weakness report.
• We strive to solve all problems as quickly as possible and keep all parties involved informed. We will be glad to be involved in any publication about the weakness after it has been resolved.