BHEH’s Vulnerability Disclosure Policy

Black Hat Ethical Hacking Vulnerability Disclosure Policy

Introduction

At Black Hat Ethical Hacking (BHEH), we understand the importance of maintaining the security and privacy of our technology and users. Our goal is to ensure that all systems and data are protected from unauthorized access and tampering. As part of this effort, we encourage responsible vulnerability research and disclosure. This policy outlines our definition of good faith in the context of finding and reporting vulnerabilities, as well as what researchers can expect from us in return.

Before you engage with any assessment, you must contact us first so we can expect and identify that the attacks are as part of a known assessment and not an external threat.

Expectations

For researchers working in accordance with this policy, BHEH promises to:

• Offer Safe Harbor protection as defined by this policy for your vulnerability research related to this policy.
• Provide a prompt and timely initial response to your report submission.
• Work with you to understand and validate your report.
• Take appropriate action to remediate discovered vulnerabilities in a timely manner.
• Recognize your contribution to improving our security if you are the first to report a unique vulnerability and your report triggers a code or configuration change.

Please note that BHEH does not offer compensation for vulnerability information, but will credit you should we deem it to be a solid impact.

Rules of Engagement

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attacks, researchers must abide by the following rules:

• Do not exploit the issue or issue a denial of service attack.
• Do not change or alter the configuration or data of our systems.
• Do not engage in any activities that violate any applicable laws or regulations.
• Do not use social engineering techniques or attempt to access or destroy data.
• Do not publicly disclose the issue before BHEH has confirmed it and provided a remedy.

Safe Harbor Definition

Researchers are authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws) and BHEH will not initiate or support legal action against you for accidental, good-faith violations of this policy when conducting genuine vulnerability research in accordance with this policy. Researchers are exempt from the Digital Millennium Copyright Act (DMCA) and BHEH will not bring a claim against you for circumvention of technology controls when conducting genuine vulnerability research in accordance with this policy. Researchers are exempt from restrictions in our Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy. Researchers must conduct their work in a lawful, helpful, and good-faith manner.

Reporting

To report a security issue or vulnerability, researchers must follow this process:

• Aggregate as much technical information as possible, including steps to reproduce and validate the issue.
• Encrypt your report using BHEH’s GPG key.
• Within 24 hours of discovery, email your encrypted report to the BHEH security team via offensivesecurity@blackhatethicalhacking.com.
• Allow up to 10 business days for confirmation of the reported issue.

Our Commitment

BHEH is committed to securing the confidentiality, integrity, and availability of our systems and the data they store. We take the security of our technology and users seriously and appreciate your contribution to our security efforts. We will work with you to promptly address and remedy any vulnerabilities discovered.

If you have any questions or concerns regarding this policy, please do not hesitate to reach out to us at [email protected].

Effective Date: 7th of September, 2018

Revised Date: 5h or February 2023