Vulnerability Report
ITER Organization Vulnerability Report Guidelines
Introduction
The purpose of this document (hereinafter referred to as "Guideline") is to provide guidelines to natural or legal persons (hereinafter referred to as "security researcher(s)") conducting vulnerability discovery activities on the ITER Organization's publicly accessible IT system (hereinafter referred to as "IT System") on how to report the related discovered vulnerabilities to the ITER Organization.
This Guideline defines (i) which the IT System and its research activities are concerned, (ii) how to submit vulnerability reports to the ITER Organization, and (iii) the remediation period we ask security researchers to observe.
We encourage you to contact us to report potential vulnerabilities affecting our IT System.
Test methods
THE FOLLOWING TEST METHODS ARE NOT AUTHORIZED:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
- Do not use automated scanners or tools that generate large amount of network traffic.
Reporting a vulnerability
When you believe you have found a vulnerability of IT System and would like to report it, we ask that you submit a detailed description of the vulnerability without sensitive information by email to it-security to it-security[@]iter[.]org.
ITER Organization may use your report for any purpose deemed relevant, including without limitation, for the purpose of correcting any vulnerabilities and errors that are reported and that ITER Organization deems to exist and to require correction. To the extent that you propose any changes and/or improvements to an ITER Organization IT Systems in your report, you assign to ITER Organization all use and ownership rights to your report.
You agree not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that vulnerabilities and/or errors has been reported to ITER Organization until our notification to you.
If you submit your contact information, ITER Organization will only use such information to get in touch with you, in case clarification is needed about details of your report, or to thank you for it; therefore, it is important to provide valid contact details such as email address.
Once the vulnerability of IT System has been removed, the security researcher will be notified unless he/she wishes to remain anonymous.
We take security concerns seriously and work to evaluate and address them in a timely manner. Response timelines will depend on many factors, including: the severity, the product affected, the current development cycle, QA cycles, and whether the issue can only be updated in a major release.
By reporting vulnerability findings to the ITER Organization, the security researcher acknowledges that such reporting is provided pro bono and without expectation of financial or other compensation. The security researcher also affirms that neither he/she nor any entity that he/she represents is complicit in human rights abuses, tolerates forced or compulsory labour or use child labour, or does not meet the purposes and principles of the ITER Organization.
Questions
Questions regarding this policy may be sent to @email