This policy outlines how the Buildmedia Limited will coordinate the disclosure of information relating to vulnerabilities which, if exploited, could give rise to a compromise or degradation of the confidentiality, integrity and availability of a network, system or data.
Buildmedia Limited endeavours to minimise the potential harm and damage that could be caused by the exploitation of vulnerabilities. Where a vulnerability is identified, disclosure can ensure timely and effective resolution.
Wherever possible, Buildmedia Limited encourages any individual or organisation that has identified a potential vulnerability ('Finder') in a product or online service to make direct disclosure to the individual or organisation that developed the product or service or is responsible for maintaining it ('Vendor'). The Vendor may have its own vulnerability disclosure policy or provide guidance on how it will receive disclosures.
Where the Finder does not want to contact the Vendor directly, or has not had any success in contacting the Vendor directly, Buildmedia Limited is available to receive a vulnerability disclosure. Buildmedia Limited will act as a conduit of information only — we will endeavour to pass information on to the relevant Vendor. The Vendor may then contact the Finder directly and it is then for the parties to manage the relationship. Where the Finder wants to retain anonymity, we will, where appropriate, continue to act as a conduit and pass information between the parties.
Buildmedia Limited will coordinate vulnerability disclosure in order to balance the needs of the public to be informed of potential security vulnerabilities with the need for organisations to have time to effectively address any vulnerability.
The Finder, Buildmedia Limited and the Vendor agree to:
Subject to the terms of this policy, Buildmedia will:
Buildmedia Limited does not:
Vulnerabilities may be made public by Buildmedia Limited 45 days after it notified the Vendor about the vulnerability, regardless of the existence or availability of patches or other mitigating factors. This timeframe may change where the vulnerability is:
Reporting to Buildmedia Limited
We are available to receive information in accordance with this policy about any vulnerability which, if exploited, could give rise to a compromise or degradation of the confidentiality, integrity and availability of a network, system or data.
To report a vulnerability, send an email to email@example.com including the following information.
Details of the vulnerability including:
We also request information regarding:
Buildmedia Limited will endeavour to respond to the Finder with further details of the process within two business days.
Buildmedia Limited reserves the right to accept, reject, or prioritise any vulnerability disclosure at its discretion. The decision whether to accept or reject the vulnerability disclosure coordination role for a particular disclosure will generally be based on the scope and severity of the vulnerability and our ability to resource the process.
Buildmedia Limited acts only as a conduit in respect of any vulnerability disclosure or associated communication ('Disclosed Information'). Buildmedia Limited accept no liability to the Finder, the Vendor or any other party for any direct or indirect loss or damage of any kind whatsoever, however caused including by any act or omission on the part of Buildmedia Limited, and whether under contract, tort (including negligence), statute or any other basis for liability. Buildmedia Limited are not responsible for the use of or reliance on the Disclosed Information by any party. Buildmedia Limited does not make any express or implied representation or warranty regarding the Disclosed Information or its accuracy. The provision of Disclosed Information to a party by Buildmedia Limited does not constitute any endorsement, verification or recommendation by Buildmedia Limited.
Information provided to Buildmedia Limited may be disclosed to third parties as required by law or where Buildmedia Limited considers disclosure to be in the public interest.
Any inquiries regarding this policy should be directed to firstname.lastname@example.org.