Auckland Challenge is committed to ensuring the integrity and security of our systems, this relies on, in part, the contributions of members of the public reporting potential vulnerabilities.
Reporting Vulnerabilities
Auckland Challenge operates using a responsible disclosure model. This means we request the discloser provide us time to address the vulnerability before making a public disclosure.
Once a disclosure has been received, you will receive an initial triage and acknowledgement within two business days. If you do not receive a response, please escalate the report to it@aucklandchallenge.org.nz. Auckland Challenge aims to resolve all disclosures within 60 days of being notified, please refrain from public disclosure until this period has expired.
To alert Auckland Challenge to a vulnerability please provide a detailed description of the vulnerability including:
- The affected system
- A brief description of the vulnerability
- Steps to reproduce the vulnerability
- Any supporting materials
- Your contact information for updates and to request information
Disclosures should be emailed to vuln-disclosure@it.aucklandchallenge.org.nz
The discloser may opt to encrypt the details through PGP, Auckland Challenge makes a PGP fingerprint available through security.txt files in all websites.
You may opt to report a vulnerability anonymously or via CERT, in this case we will be unable to contact you for further information or to update you with progress.
Handling disclosures
When a disclosure is received, the responding Staff member shall:
- Determine the severity and potential impact of the vulnerability
- Within 2 business days, respond to the discloser the outcome of the determination and Auckland Challenge’s next steps
- Notify affected personnel
- If deemed necessary, release a public statement. This should not contain specific details
- Rectifying the vulnerability as soon as possible, and within 60 days
- If necessary, notify the software vendor, CERT, Netsafe, and the Department of Internal Affairs
- If necessary release a TLP classified statement to the Cybersecurity community
- If necessary, begin the process of raising a CVE within the NVD managed by NIST and the United States CERT
- Keep the discloser informed of developments
If the vulnerability has led to a confirmed or potential incident or loss of data, begin Auckland Challenge’s Incident Response Procedure.
Legal position and exclusions
Auckland Challenge appreciates the support of the community in addressing vulnerabilities in our systems. We encourage any person who discovers a vulnerability through normal, legitimate use to report it without repercussion, however Auckland Challenge does not condone nor permit the deliberate or unauthorized testing of any system or service.
This policy does not apply to:
- Any third party services except where the vulnerability results from an Auckland Challenge configuration
- Social Engineering
- Denial-of-Service (DOS) attacks, whether or not distributed