12/03/2020 - 03:00 PM
To send a detected vulnerability write to firstname.lastname@example.org
Below you will find the rules to follow.
Responsible Disclosure is a method to report system vulnerabilities which allows the recipient sufficient time to identify and apply the necessary countermeasures before making the information public.
By following this controlled and ethically correct model of reporting, the sender helps companies to identify and resolve system flaws, thus providing a valuable and efficient contribution to increase the security of ICT services and avoiding damage or disruption to the systems involved.
Whenever a customer, researcher or expert should identify one or more vulnerabilities in the following environments:
he or she can send the information to TIM following the procedure laid out below.
Using the following procedure, whoever informs TIM of a system vulnerability is required to make a responsible disclosure so as not to expose other clients to unnecessary security risks.
The reporting person must avoid performing any activity that can either disrupt the impacted system or service or cause any data leakage/loss, limiting his/her use of the system/service to the minimum necessary and refraining from accessing data not strictly necessary to prove the existence of the vulnerability. Any activity on the impacted system/service must be carried out in full compliance with the provisions of the present policy. Moreover, the use of intensive or invasive scanning tools is not allowed.
Responsible disclosure implies that the reporting person has not spied on or disclosed any third-party data without their consent.
Specifically, whoever activates the procedure must:
Send the information via email to email@example.com with the following details:
Observe strict secrecy on all information pertaining to the vulnerabilities discovered, and therefore commit not to reveal any of these, entirely or partially, or in any form make them available to third parties for a period of not less than 90 days, allowing TIM the required time to identify and apply the necessary countermeasures. In especially complex cases, TIM reserves the right to extend this period, giving appropriate notice to whoever sent the information.
In the cases where the information regarding the vulnerabilities comes from a legal entity (public or private), corporation, consortium or other associative body, the sender must take the necessary steps to limit access to said information to those employees who require the use of the affected system for their work activities, enacting all suitable and appropriate measures to maintain confidentiality and abovementioned limits while accessing and using the information.
Once a notice has been received, TIM is committed to following up as follows:
TIM does not offer economic rewards; moreover, TIM reserves the right not to manage reports which do not respect the criteria indicated in this procedure.
TIM stresses the importance of assuming responsible behavior even after the release of any patch as the rollout process can be long and complicated. Therefore, we ask a careful evaluation of information released in this regard, with the objective of safeguarding user security.
Below you will find some examples of vulnerability categories which are considered eligible for publication in the Hall of Fame:
On the other hand, the following situations are not covered by this Responsible Disclosure initiative and therefore are not eligible for the Hall of Fame:
TIM reserves the right to update this Responsible Disclosure procedure at any time.
We would like to thank all persons who make a responsible disclosure to us and recognize their valuable contribution in increasing the security of our products and services.