CERT.LV Responsible disclosure policy
We support responsible security vulnerability disclosure policy and principles and welcome any security researchers to report security flaws in the CERT.LV services and resources (cert.lv domain).
We expect reports about vulnerabilities such as Cross Site Scripting (XSS), encryption flaws, remote code execution, etc.
How can you report?
If you believe you have discovered vulnerability in the CERT.LV services, please contact us at cert and include the following information:
- Detailed description of the vulnerability;
- Detailed information about the exploitation of the vulnerability;
- If applicable, a link, screenshot or any other information that helps to identify the vulnerability you have found
We prefer that you use CERT.LV PGP key to protect the information you are sending.
We will keep you updated while we solve the issue, and inform you when the vulnerability is fixed.
What we expect form you?
It is important that you follow the good practice:
- You do not use the vulnerability to access or attempt to access information that does not belong to you (only to prove the existence of the vulnerability);
- You do not use the vulnerability to remove or modify information;
- You do not affect the availability of our services through denial of service attacks;
- You do not make any social engineering attacks;
- We would appreciate if you let us fix the reported vulnerability before going public with it.
What CERT.LV offers?
We do not offer monetary compensation, but when the issue is solved, CERT.LV can help to prepare information for publication and promote researcher’s contribution if that’s mutually agreed.
If you found vulnerability in other institutions’ services, please contact us at cert (please use CERT.LV public PGP key).
CERT.LV PGP key
User ID: CERT.LV (cert)
Key ID: 0xE49D332C
Fingerprint: EBBE 32C8 243B B714 E1FB 2EDF DBDA ACC3 E49D 332C