Vulnerability Discovery Policy
OnePlan Limited is committed to ensuring the security of the public by protecting their information from unwarranted disclosure. The purpose of this policy is to provide security researchers with clear guidelines for conducting vulnerability discovery activities and to convey our preferences on how to submit discovered vulnerabilities to us.
This policy describes the systems and types of research covered by this policy, how to send vulnerability reports to us, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as outlined in this policy– so we can fix them and keep our users safe. We have developed this policy to reflect our values and maintain our sense of responsibility to security researchers who share their expertise with us in good faith.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and OnePlan Limited will not recommend or pursue legal action related to your research.
For the purposes of this policy, the term “research” means activities in which you:
- Inform us as soon as possible after discovering an actual or potential security problem.
- Do everything possible to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Use exploits only to the extent necessary to confirm the presence of a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
- You give us a reasonable amount of time to resolve the problem before disclosing it publicly.
- You will not intentionally compromise the privacy or safety of OnePlan Limited personnel, or any third parties.
- You will not intentionally compromise the intellectual property or other commercial or financial interests of any OnePlan Limited personnel or entities, or any third parties.
Once you have established the existence of a vulnerability or have encountered sensitive data (including personally identifiable information, financial information, proprietary information or trade secrets of any party), you must stop your testing, notify us immediately and not disclose such data to anyone.
This policy applies to the following systems and services:
Systems and services directly associated with domains and sub-domains listed above are in scope. In addition, any website published with a link to this policy is considered in scope. Websites not explicitly listed here or published with a link to this policy are considered out of scope for this policy. Vulnerabilities discovered in our vendors’ systems are outside the scope of this policy and should be reported directly to the vendor in accordance with their disclosure policy (if any). If you aren’t sure whether a system or endpoint is in scope or not, contact [email protected] before starting your research or at the security contact for the system’s domain name listed in the .com WHOIS.
Although we develop and maintain other systems or services that are accessible via the Internet, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If you believe that a system not covered by this document merits testing, please contact us to discuss this in advance. We will increase the scope of this policy over time.
The [email protected] email address is for reporting product or service security flaws ONLY. IIt is not used to obtain technical support information for our products or services. Any content other than that specific to security flaws in our products or services will not be processed.
Rules of Engagement
Security researchers must not:
- Test any system other than the systems set forth in the ‘Scope’ section above,
- disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below,
- engage in physical testing of facilities or resources,
- engage in social engineering,
- send unsolicited email to users of OnePlan Limited, including “phishing” messages,
- performing or attempting to perform “denial of service” or “Resource Exhaustion” attacks,
- introducing malicious software,
- conduct tests in a manner that may degrade the operation of OnePlan Limited systems; or intentionally alter, disrupt, or disable OnePlan Limited systems,
- test third-party applications, websites, or services that integrate with or link to or from OnePlan Limited systems,
- delete, alter, share, retain, or destroy OnePlan Limited data, or render OnePlan Limited data inaccessible, or,
- use an exploit to exfiltrate data, establish command line access, establish a persistent presence on OnePlan Limited systems, or “pivot” to other OnePlan Limited systems.
Security researchers may:
- View or store OnePlan Limited nonpublic data only to the extent necessary to document the presence of a potential vulnerability.
Security researchers must:
- cease testing and notify us immediately upon discovery of a vulnerability,
- cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
- purge any stored OnePlan Limited nonpublic data upon reporting a vulnerability.
Reporting a Vulnerability
We accept vulnerability reports at [email protected]. Reports may be submitted anonymously. We do not support PGP-encrypted emails at this time.
To facilitate our management of the vulnerability, we expect some well-written reports in English or French containing the following information:
- Time and date of discovery
- Product Model & number using the vendor nomenclature if possible
- URL, browser information including type and version and input required to reproduce the vulnerability;
- Technical Description — provide what actions were being performed and the result in as much detail as possible;
- Sample Code — if possible, provide code that was used in testing to create the vulnerability;
- Reporting’s party Contact Information — best method to reach
- Disclosure Plan(s) — current plan to disclose;
- Threat/Risk Assessment — contains details of the identified threats and/or risks including a risk level (high, medium, low) for assessment result;
- Software Configuration — details to computer/device configuration at time of vulnerability;
- Relevant information about connected devices if vulnerability arises during interaction. When a secondary device triggers the vulnerability, these details should be provided.
Please do not include any personal data in your reports, except as necessary to contact you.
Participation in this program does not give you any rights to intellectual property owned by OnePlan Limited or any third party.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely OnePlan Limited, we may share your report with the National Agency for the Security of Information Systems (ANSSI), where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
By sending us a Report, you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to OnePlan Limited information systems, and consent to having the contents of the communication and follow-up communications stored on a E.U information system.
In order to help us triage and prioritize submissions, we recommend that your reports:
- Adhere to all legal terms and conditions outlined at OnePlan Limited Responsible Disclosure Terms of Service. (to be specified in your email)
- Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
OnePlan Limited is committed to fixing vulnerabilities promptly. However, we recognize that public disclosure of a vulnerability in the absence of readily available corrective action likely increases rather than decreases the risk. Therefore, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after receiving our acknowledgement of your report. If you believe that others need to know about the vulnerability before we implement corrective measures, we ask that you consult with us beforehand.
We may share vulnerability reports with the National Agency for the Security of Information Systems (ANSSI), as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission.
Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.