1 RESPONSIBLE DISCLOSURE POLICY

Sisal S.p.A. (hereafter Sisal) strives to ensure that its information security management system complies with the ISO/IEC 27001 and WLA SCS-2020 standards. Sisal asks all security researchers for input in reporting any vulnerabilities that they may have detected on Sisal products or services in order to better protect users and their data. All security researchers will be able to understand through this policy how to report vulnerabilities.
 
1.1 Reporting vulnerabilities
 
To report a security vulnerability, the following procedure must be followed:
  • Complete the report submission form available through our digital channels;
  • Provide a detailed description of the vulnerability, including the steps to reproduce it;
  • Attach any relevant screenshots, videos or test codes;
  • Submit the report.
  • The report submission form can be found on a dedicated report management page. You will then need to fill out a form with the following information:
  • Vulnerability title
  • Bug type
  • Severity level
  • Replicability
  • Step-by-step description (including an indication of the affected service, URLs, or IPs)
  • Expected result
  • Result achieved
  • Date and time the vulnerability was found
  • Other comments
  • Images/videos
 
1.2 Guidelines for security researchers
 
Sisal asks all researchers to carefully follow the following guidelines and to operate in accordance with current and applicable regulations in order not to incur violations or possible computer crimes sanctioned by the legal system (including with imprisonment), and therefore by way of example and not limitation:
  • Do not exploit the discovered vulnerability or issue;
  • Do not perform any activity that may:
    • harm Sisal
    • harm its users;
    • block a Sisal system or service;
    • cause the loss of data.
  • Keep all information about discovered vulnerabilities confidential unless mutually agreed otherwise;
  • Avoid breaches of privacy. Interact only with accounts that you own;
  • Exercise caution and moderation with personal data and Do not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks, physical attacks on any Sisal property, or spamming;
  • Do not cause annoyance for other users;
  • Do not use common vulnerability scanners. Vulnerability scanning should be manual, although tools with automated requests are allowed if limited to 5 requests per second.
  • In addition, researchers will have to:
  • Submit documentation in English;
  • Use identifiers that help determine that they are security researchers (e.g., in logs, requests, account details);
  • Be at least 18 years old;
  • Comply with all applicable local and national laws.
Upon compliance with these rules Sisal commits itself to:
  • Make an initial response to take charge of the report within a few business days;
  • Take no legal action against security researchers who report vulnerabilities by following this policy;
  • Do not pass no personal data to a third party unless complying with legal requirements;
  • Inform researchers about the progress and resolution of detected vulnerabilities;
  • In case of duplicates Sisal will consider the first report received (provided it can be reproduced in full).
 
1.3 Types of vulnerabilities
 
Sisal is particularly interested with vulnerabilities that could compromise the confidentiality, integrity, or availability of user data or disrupt the normal operation of platforms
Any design or implementation issues that substantially affect the confidentiality or integrity of user data are likely to be within the scope of the program. Common examples include:
  • Cross-Site Scripting (XSS);
  • Cross-Site Request Forgery (CSRF);
  • Authentication or Authorization Flaws;
  • Server-Side Request Forgery (SSRF);
  • Server-Side Template Injection (SSTI);
  • SQL injection (SQLI);
  • XML External Entity (XXE);
  • Remote Code Execution (RCE);
  • Local or Remote File Inclusions.
 
1.4 Elements not considered a vulnerability (out of scope)
 
  • Email/SMS Spam or social engineering techniques on employees, contractors and shopkeepers;
  • DoS or DDoS attacks;
  • Possible vulnerabilities on third-party applications/services integrated with Sisal platforms.
  • Content injection. Publishing content on a portal is a core function, so content injection (also known as "content spoofing" or "HTML injection") is not in scope unless a clear risk is demonstrated;
  • Reports of sudden outages on mobile apps that cannot be reproduced on updated versions of the operating system or on mobile devices released in the last 24 months;
  • Clickjacking on pages without sensitive actions/data;
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or on forms without sensitive actions/data;
  • Attacks that require MITM (Man in The Middle) or physical access to the user's device;
  • Misconfiguration on SSL/TLS;
  • Password, email and account policies (e.g., email id verification, password complexity);
  • Rate limiting or bruteforce on endpoints without authentication;
  • Missing httpsOnly or Missing Secure flags on cookies;
  • Software version disclosure / Banner identification issues / Error messages or verbose headers (e.g., stack trace, application or server errors);
  • Backdoors;
  • Command injection (when a Command injection vulnerability occurs, simply show the output of the id or hostname commands and stop exploitation at this point).
ATTENTION: when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige by the CSP Rules Of Engagement (ROE). Examples:
  • ROE for AWS: https://aws.amazon.com/security/penetration-testing/
  • ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
  • ROE for Google Cloud: https://cloud.google.com/security/overview/
(these are just examples, always identify the CSP and follow its Rules of Engagement)
The European Union Agency for Cyber Security (ENISA) has published a map of national Vulnerability Disclosure (CVD) policies in EU member states. Within this link you can find their recommendations: https://www.enisa.europa.eu/news/enisa-news/coordinated-vulnerability-disclosure-policies-in-the-eu
 
1.5 Reporting Platform and Awards
 
Sisal does not provide a rewarding mechanism, but based on the severity and impact of the vulnerability it may grant a reward. As such, any reward granted is at the exclusive direction of the company and is influenced by factors such as the potential impact of the vulnerability, the uniqueness of the result, and the quality of the report.
Sisal also reserves the right to update this Responsible Disclosure Policy at any time.