Introduction and Definitions
SmartComms SC Limited and its affiliates and subsidiaries (“Smart Communications”, “we”, “our” and “us”) is committed to information security.
It is Smart Communications’ policy to make every effort to protect our information assets from threats – whether they be internal, external, deliberate, or accidental.
Any disclosures found, external to our own internal scanning tools, penetration testing mandates and internal reporting channels, helps us maintain our high security and privacy standards, for our users and systems.
This vulnerability disclosure policy (“Policy”) applies where you have discovered a security vulnerability that you want to report to us. Before doing so, please ensure you have read this Policy in full and that you are act honourably and in compliance with it.
We value the input of external entities acting in good faith who take the time and effort to report security vulnerabilities to us, however Smart Communications do not offer monetary rewards for such vulnerability disclosures.
If you are a Smart Communications customer or partner, please use our designated support channels to submit a service request to us, for any vulnerability discovered in our products/services.
Scope
This Policy applies only to vulnerabilities in Smart Communications products and services under the following conditions:
• Any vulnerability covered under recognised security standards: OWASP Top 10, CWE/SANS Top 25, or the CERT Secure Coding Standard, is in scope.
• Volumetric vulnerabilities are not in scope – meaning that simply overwhelming a service with a high volume of requests is not in scope.
• Reports of non-exploitable vulnerabilities, or reports indicating that our services do not fully align with “best practice”, for example missing security headers, are not in scope.
• Endpoint cipher suite weaknesses are not in scope.
Guidelines
We require that all entities that disclose any vulnerability to us:
• Act in good faith to avoid privacy violations and degradation of our production services/ systems.
• Always comply with data protection rules and must not violate the privacy of Smart Communications’ users, staff, contractors, services, or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
• Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
• Keep information you’ve discovered confidential between us.
You must not:
• Break any applicable law or regulations.
• Access unnecessary, excessive, or significant amounts of data.
• Modify data in Smart Communications’ systems or services.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests.
• Disrupt Smart Communications’ services or systems.
• Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
• Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suites.
• Communicate any vulnerabilities or associated details other than by means described in this Policy and where applicable, the published security.txt.
• Social engineer, ‘phish’ or physically attack Smart Communications’ staff or infrastructure.
• Demand financial compensation to disclose any vulnerabilities.
Reporting a Vulnerability
If you have discovered something you believe to be an in-scope security vulnerability, please report this to us using the details listed within the URL: https://www.smartcommunications.com/.well-known/security.txt
For your submission, please include details of:
• The website or page where the vulnerability can be observed.
• A brief description of the type of vulnerability, for example an ‘XSS vulnerability’.
• Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation.
What to Expect
If you follow these guidelines, post your report submission, we will:
• Provide receipt confirmation on your disclosure, within 72 hours.
• Review and validate the issue and provide a response on our intended remediation efforts within a timely manner.
• Recognize your contribution, if you are the first to report the issue that results in a code/ configuration change based on the issue.
Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.
Legalities
This Policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Smart Communications to be in breach of any of its legal obligations, including but not limited to:
• The Computer Misuse Act (1990).
• The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018.
• The Copyright, Designs and Patents Act (1988); and
• The Official Secrets Act (1989).
However, if legal action is initiated by a third party against you and you have complied with this Policy, we can take steps to make it known that your actions were conducted in compliance with this Policy.
Amendments to this Policy
This Policy and its Schedules will be updated from time to time by the Legal, Security and Compliance team to reflect any changes in legislation or in our methods or practices.
Date of issue: 6th June 2023