Vulnerability Disclosure Guidelines
If you find a security issue with any Bastion Security Group systems, please tell us so that we can get it fixed.
If you find a security issue with any Bastion Security Group system, please tell us so that we can get it fixed.
Our goal is to protect our staff and customers’ privacy. That means encouraging people to tell us about vulnerabilities and getting them fixed as soon as possible. We want to work with anyone who tells us about vulnerabilities in our systems.
Bastion uses a range of services from various providers. If the vulnerability is in a vendor’s product or service then we will need to pass the information on to them. We will not pass on your personal information including your contact details without your permission.
How to tell us
Please contact the Bastion security team immediately.
Email us at security@bastionsecurity.co.nz. Our emails are monitored Monday to Friday, 08:00 - 17:30 (NZT) and we’ll respond to you within one working day.
If you want to encrypt your email our public key is available at https://bastionsecurity.co.nz/pgp-key-security.txt
What to tell us
Please tell us as much as you can about your finding without doing any further work on the vulnerability. This could include:
- Type of vulnerability
- Whether the vulnerability has been published or shared with others
- Affected systems, products and versions
- Affected configurations
- Step-by-step instructions, screenshots or proof-of-concept code to replicate your finding
- If personal information was exposed
- What has happened with any personal information exposed
What we will do
We will acknowledge receipt of your email as soon as possible and give you an update on the progress of our investigation within 5 working days.
We will look at the reported vulnerability and work with any service provider to validate your finding.
We will notify you of what our investigation found and what we decided to do.
We aim to address all vulnerabilities as quickly as possible but may rely on third party suppliers and the terms of any contract.
What you should not do
Some types of behaviour are not reasonable research approaches. Please do not act in ways that can cause harm. This can include:
- Denial of Service (DoS/DDoS) attacks
- Accessing data or information that does not belong to you. Once you see there is a problem that exposes information, please do not look for more information, one example is enough
- Destroying or corrupting data or information that does not belong to you
- Sharing or publishing any personal information that you have obtained
Protecting privacy
Please do not share with others any vulnerability that you find until we’ve had the opportunity to fix it. We don’t want others trying to exploit the vulnerability.
Please do not share any personal information obtained from Bastion as that could cause harm to individuals. Publishing or sharing personal information may be considered a breach of the New Zealand Privacy Act and could expose you to liability.
Our commitment
If you act in good faith and follow these guidelines then Bastion make the following commitments to you:
- The information that you share with us as part of this process will be kept confidential within Bastion and our directly contracted suppliers
- Your personal information including contact details will not be shared with third-parties without your permission
- We will not initiate legal action against people attempting to find vulnerabilities within our systems who adhere to these guidelines.