EDAS Conference Services (EDAS), a provider of services for scientific conferences, is committed to ensuring the security and privacy of our users. Towards this end, EDAS is now formalizing our policy for accepting vulnerability reports in our service. We hope to foster an open partnership with the security community, and recognize that the work the community does is important in continuing to ensure safety and security for all of our ussers. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.
Scope
EDAS Vulnerability Disclosure Program initially covers the following sites: https://*.edas.info
Researchers that submit a vulnerability report to us, once accepted and validated by our product security team, will be given full credit on our website.
Legal Posture
EDAS Conference Services will not engage in legal action against individuals that submit vulnerability reports through our vulnerability reporting mechanism. We openly accept reports for the currently listed EDAS sites. We agree not to pursue legal action against individuals who:
- Engage in testing of systems and research without harming EDAS or its users, including refraining disclosing non-public information about these users.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program.
- Test on services without affecting users, and receive permission and consent from users before engaging in vulnerability testing against their EDAS accounts.
- Adhere to the laws of their location and the location of EDAS. For example, violating laws that would only result in a claim by EDAS (and not a criminal claim) may be acceptable as EDAS is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
How to Submit a Vulnerability
To submit a vulnerability report to the EDAS Security Team, please use the help form.
Report Acceptance Criteria
We will use the following criteria to decide whether or not to accept the report. Report declines mean that the report was not of sufficient quality or was out of scope.
What we would like to see from you:
- Well written reports in English will have a higher chance of being accepted.
- Reports that include proof of concept code, URLs or form data will be more likely to be accepted.
- Reports that include products not on the covered list will most likely be ignored.
- Include how you found the bug, the impact, and any potential remediation.
- Consideration for vulnerabilities that may have safety, privacy and operational stability impact.
- Any plans for public disclosure.
What you can expect from us:
- A timely response to your email (within 2 business days).
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- An expected timeline for patches and fixes (usually within 30 days).
- Credit after the vulnerability has been validated and fixed.
- If we are unable to resolve communication issues or other problems, EDAS may bring in a neutral third party (such as CERT/CC or ICS-CERT) to handle the vulnerability, or may encourage you to disclose the vulnerability publicly.
Versioning
This document was created 05-March-2019. Any updates will be noted below in the version notes.
Acknowledgments
The following individuals have contributed disclosures:
- Naveen Kumar
- Cédric Lissanon @Sancelisso
- Harinder Singh (S1N6H)
- Ramansh Sharma
- Rohit Sharma
We appreciate their contributions to making EDAS more secure.