Responsible Vulnerability Disclosure Policy

A2J AUTHOR

VULNERABILITY DISCLOSURE POLICY

 

We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. 

 

GUIDELINES

 

We require that all researchers:

• Make every effort to avoid privacy violations, degradations of user experience, disruption to production systems, and destruction of data during security testing;
• Perform research only within the scope set out below;
• Use the identified communication channels to report vulnerability information to us; and, 
• Keep information about any vulnerabilities you have discovered confidential between yourself and A2J Author until we have had 180 days to resolve the issue. 

 

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research;
• Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 business hours of submission);
• Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue. 

 

As a non-profit with limited resources CALI does not have an active bug bounty or reward program.

 

SCOPE

 

The provisions of this Vulnerability Disclosure Policy apply to:

• www.a2jauthor.org
• www.a2j.org
• A2J Author (https://github.com/CCALI/a2jauthor) 
• The A2J Viewer (https://github.com/CCALI/A2Jviewer)
• The A2J Author Document Assembly Tool (https://github.com/CCALI/a2jdat) 
• A2J Dependencies (https://github.com/CCALI/a2jdeps) 

 

OUT OF SCOPE

 

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

• Any domains, services, and resources that use or run alongside CALI A2J software but are not owned or operated by CALI. For example, the A2J Viewer and A2J DAT can be installed on and run from a third party domain. In this case, the viewer itself would be in scope but the rest of the website would be out of scope if its domain is not a2j.org or a2jauthor.org.

 

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

• Findings from physical testing such as office access (e.g. open doors, tailgating)
• Findings derived primarily from social engineering (e.g. phishing, vishing)
• Findings from applications or systems not listed in the “Scope” section
• UI and UX bugs and spelling mistakes
• Network level Denial of Service (DoS/DDoS) vulnerabilities

 

Things we do not want to receive:

• Personally identifiable information (PII)
• Credit card holder or other financial data

 

HOW TO REPORT A SECURITY VULNERABILITY

 

If you believe that you have found a security vulnerability in one of our products or platforms, please send it to us by emailing security@a2jauthor.org. Please include the following details in your report:

• Description of the location and potential impact of the vulnerability;
• Detailed description of the steps required to reproduce the vulnerability (Proof of Concept (POC) scripts, screenshots, and compressed screen captures are all helpful to us); and,
• Your name/handle and a link for recognition in our Hall of Fame. 

 

If you’d like to encrypt the information, please use our PGP Public Key below

 

-----BEGIN PGP PUBLIC KEY BLOCK-----

 

mQINBF8V6NgBEADi63WhQbv0Jr9Ovx9iAONrY6fORE1CNpN1Rm0YxkZ+iSB3gRCm

VfKiq2sne5sqPGbuuO5pS7N1Wr9iSSHkWIv/NZsQ3qKg6O/IX8L8KKm+VC+NDmzF

M3tagyW/f1em4o+XcWp1dZDkCdjkciIOhcL40ypyNF356aVZlgBFGECFvBLUGE/s

myCzJR34vze1fSEa7+G97TY7aPzzv26AGPkTENIdJ/nP7S7H1/Cd3E1yoL4suXkX

1eb90RhCn8yDhEaVF4hBbdhSH4tvTlXjhgTtYmnFMQvVBkS3GOMQyv7P6nwfOjqF

79r/Zd2J+g45+odriTitsmGME7AJsJC94+CHwd1I3cOU5UbRIaLxC7Zp/xHEDZIP

53pXtCXx2IqNplgPDhE7BoEIMsxPYMs0cXRgXLEd/Jpy64lu25Xs8fTrlZCJ6ge2

Z3GIxdB3pW8RE+meVzpHd0s+dTAfD4kiBPAY6FKTVDdeO43TMl3wbtlx3EttEKtC

wmi/l93mGWRzFo6InFZG1olFVFsc2eMMyzmaRXL8jCoAo8B3xVmOU/TKT/TxOREo

rI8gdZZKqz2YBEjHymsc+hztmEWMFYM2nz3votvfyZ5/DvxK4HB+WkFDwL4k/wq6

Hz24r2Rj4cucYi6L6k4cAXGkzvdfK2wYGyc6/I5a7dO2KSISA2aKvWweuQARAQAB

tHFzZWN1cml0eUBhMmphdXRob3Iub3JnIGVtYWlsIGVuY3J5cHRpb24ga2V5IHBh

aXIgKGZvciBlbmNyeXB0aW5nIHZ1bG4gZGlzY2xvc3VyZSBlbWFpbHMpIDxzZWN1

cml0eUBhMmphdXRob3Iub3JnPokCVAQTAQgAPhYhBNogLtW66iNZ4V+G74J/riRU

sTVTBQJfFejYAhsDBQkSzqYABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEIJ/

riRUsTVTspAQALr2MWP6ismp7NxApsmvGjd7cPnE6jszlYN+OfEiJpzAgZ4ek9ZY

bdmALEVMIODS88rBpQ//86Zcd3Kcd5O/bD6hT1dt4aeIk+BLmeDavCmxTvLVchOH

uwZvY4B3N/6V3feiz7/Byl0ZNqbdddyaCLjzjS4ymvpYXEqUVIaB2eXadwzQQEvB

QK7T05a7tZFnFDWTrc8LQrOQbRT9E2feO2rvw2yZEMRBxuZUTasnLXzRKE+l8eET

HNw8f4VYLaO2BFjGvrMn2vgPSIToX9S3dtuK3zkY/m070G/3jUdQhUONIqW2P7Z4

eFG6skupw/kI2OZ/ubfeEaqb4X3Ck/SOQ0uIeZQIyvl6/z19JaFyXMgFrymCtGUq

E5QTqgJDmHy6L4hmW5fzHseML+pJ4QFTuN/ejGk4zgE0J5SFmYu+AnO6fhDrfOmW

lguiyF734KG0zkxXKR8T/GWTajAd19zIxXmOYIonsx7dqsyXSNJTrRX/Hn6754eU

oneYAYrmxcOLFqyjATNcEt7k3VDD8AiL9HRqA4ePFxj7PHMfIII7EjomCA3UthUq

3JIcIk8nBZG6KhCHoiycmAk8mS+qsTIRsRMjUGvgtmW2h9NAMJ81cSzgEQqkA5Gf

1JKF/mBb6hRmt+lakP1nwOwJinsIefCDtXHQ6UnWrGKd2CDZ0NPkrfRcuQINBF8V

6NgBEADGu82yMqxVuiKkfSicp9f/7+6Cs8gN3aSIfPcPcA4y1DpCza5w114CS+W1

UhBGlw0B0SzIKodnjsmOs6Mnnb5D9ZQ9fsz/pXQI+Z5Sq7RR60ypd4aElj3apJRI

ZtFZdRO/ObE44mIOllJUIb5AVHSEO1Up/siWXpqoKhID9LK+113Z2buKtQfkfqaD

R5RyiveZWTthXUZ1rkiuXHKnM9kujCjeaLugEVgD+9z6AS1GnA/d9to3zm7ScN6G

/Rxvjof4wUN1PybcMF5CbkLvszfvfP9RQctkNgq6QZ5gwfVR5RY1MSlNX0mhEvxo

Q3yH/dOMgLZwpGm/d38t6Ic6C60JFcIPbFrX+FJU1j4JzX+zbvsbUnzQ4zoW83N8

kppUrV85REMmCqvc9w8dm9EH9oUVYKpj62jGGFIrAC9RfE6u1H6boCtaidFm17Wo

GIEooWUYh2Nya5jujV882hEzA+Q4XknuwuZR7r9PLWbKIVVZLLTusCDPVllWfiR5

jg1S/Y80+hlO+yxPKwbha6JartWuXrhR4NLxHxHRvuUkSrWMnCl2miSr6Bmxkp/v

vGWqP/Eewk8vKjNv63zUVoie9VGKK2hABcNEJhvya3RbFrykeockV20ql2cG3qkr

URVRIV8jQ5ZAwegAXt0vQit004xrhT+zGLD3p8R6x2YywKjOSwARAQABiQI8BBgB

CAAmFiEE2iAu1brqI1nhX4bvgn+uJFSxNVMFAl8V6NgCGwwFCRLOpgAACgkQgn+u

JFSxNVM5aQ/9FYsWSbHHszVWj60BooNrnJnl3gHj4yC1HtoXjt2n7KzI95o/3nNm

oVqoVbXmdDy8ea8Jtk7oVJWtKD0OxFgIRpnjwUB8iDcRpOejKGiLprMG4r4Rw9FS

2U2STWV16jWZfHxPhkQxGqyEO+8bCRr2ycABIyW6HD6X29wIyMClqX1HUhxhgKwu

pKC+2s69BeAOiJpsdk7/Mgi7x9s96eGwWg9RdWfX1E1tdmCwdmVbJ9mbBN7+ObvR

rKQkmNsYJAQEAdN0e3H74/+nBygpYDaS1UPDwJtA6VGfPL5UHdO+6CWIWZO36S2G

TMJNeG/h+iFR0di+jk7qbdIr5sYRvknZaCbzglryLAyT39EIryr0J+bD8Lq0evEw

L2eGM+COQVdvaFv7pNgL2SuzA+6uvLtysErqum8/90JoSLyE67KPOFwjUrnkzOdU

KDf063U9kf0wZ6qqBvFv+9Kd69Kp87OuTcUQJq8xDnLZf4Yyk72KIIsx8Q/k1KnA

vhWiHwZq/zlgDbxF7cjZaRznToXr/uSNKLa4sQsDxodLjGAoic+wsh/QwYZQ3ZtX

6NjwjD2ljwjJuCWoQ6lpi8O5iHKhijiSYbJJJRYeCURNaTF2iivS8A2r4lzXthV0

PZZn+GnQ79Sefvps1b6eNmg19PzhfaAWAaB6lkAx4Pm4DGw+2BUK2Vk=

=Ju7L

-----END PGP PUBLIC KEY BLOCK-----