Buildmedia coordinated vulnerability disclosure policy

This policy outlines how the Buildmedia Limited will coordinate the disclosure of information relating to vulnerabilities which, if exploited, could give rise to a compromise or degradation of the confidentiality, integrity and availability of a network, system or data.

Buildmedia Limited endeavours to minimise the potential harm and damage that could be caused by the exploitation of vulnerabilities. Where a vulnerability is identified, disclosure can ensure timely and effective resolution.

Wherever possible, Buildmedia Limited encourages any individual or organisation that has identified a potential vulnerability ('Finder') in a product or online service to make direct disclosure to the individual or organisation that developed the product or service or is responsible for maintaining it ('Vendor'). The Vendor may have its own vulnerability disclosure policy or provide guidance on how it will receive disclosures. 

Where the Finder does not want to contact the Vendor directly, or has not had any success in contacting the Vendor directly, Buildmedia Limited is available to receive a vulnerability disclosure.  Buildmedia Limited will act as a conduit of information only — we will endeavour to pass information on to the relevant Vendor. The Vendor may then contact the Finder directly and it is then for the parties to manage the relationship. Where the Finder wants to retain anonymity, we will, where appropriate, continue to act as a conduit and pass information between the parties. 

Buildmedia Limited will coordinate vulnerability disclosure in order to balance the needs of the public to be informed of potential security vulnerabilities with the need for organisations to have time to effectively address any vulnerability.

Responsible Disclosure

The Finder, Buildmedia Limited and the Vendor agree to:

  • adopt the procedures outlined in this policy
  • operate in accordance with relevant local laws
  • take reasonable care to minimise the risk of harm from security research, vulnerability discovery and disclosure
  • in the case of the Finder, provide sufficient information on the reported vulnerability as required
  • in the case of the Vendor, conduct its own security checks on any disclosure and information received
  • maintain discretion, and
  • communicate in a timely manner.

Subject to the terms of this policy, Buildmedia will:

  • make reasonable efforts to contact the Vendor as soon as practical after receiving a disclosure, and will provide the Finder’s name and contact details to the Vendor (unless anonymity is requested)
  • where requested, maintain the Finder’s anonymity to the extent possible
  • make reasonable efforts to contact the Finder and the Vendor prior to any release of the disclosure
  • seek agreement, where possible, between relevant parties before disclosing information regarding a vulnerability to the public, and
  • provide fair treatment to all relevant parties as much as possible.

Buildmedia Limited does not:

  • verify, analyse or investigate information provided by the Finder before conveying it to the Vendor
  • provide any reward or incentive such as a 'bug bounty'
  • recommend or pursue legal action on behalf of another party
  • condone or encourage breaches of the law
  • offer a whistle-blower service, or
  • provide any 'safe harbour' protection from civil or criminal liability.

Timeframe

Vulnerabilities may be made public by Buildmedia Limited 45 days after it notified the Vendor about the vulnerability, regardless of the existence or availability of patches or other mitigating factors. This timeframe may change where the vulnerability is:

  • being actively exploited
  • publicly disclosed by an entity other Buildmedia Limited
  • reported by multiple sources to Buildmedia Limited or the Vendor
  • considered to be exceptionally serious (for example, threatening public safety), or
  • where the parties agree or where Buildmedia Limited considers it necessary.

Reporting to Buildmedia Limited

We are available to receive information in accordance with this policy about any vulnerability which, if exploited, could give rise to a compromise or degradation of the confidentiality, integrity and availability of a network, system or data.

To report a vulnerability, send an email to disclosure@buildmedia.com including the following information.

Details of the vulnerability including:

  • what products/services and versions are affected?
  • what platform(s) does the product use?
  • what is the likely impact of exploitation?
  • any other relevant information you can supply
  • any proof of concept.

We also request information regarding:

  • your contact details so we can communicate with you
  • whether you have been in contact with the Vendor
  • whether this information has been published or shared with others, and
  • whether you would prefer to remain anonymous.

Buildmedia Limited will endeavour to respond to the Finder with further details of the process within two business days. 

Buildmedia Limited reserves the right to accept, reject, or prioritise any vulnerability disclosure at its discretion. The decision whether to accept or reject the vulnerability disclosure coordination role for a particular disclosure will generally be based on the scope and severity of the vulnerability and our ability to resource the process.

Disclaimer

Buildmedia Limited acts only as a conduit in respect of any vulnerability disclosure or associated communication ('Disclosed Information'). Buildmedia Limited accept no liability to the Finder, the Vendor or any other party for any direct or indirect loss or damage of any kind whatsoever, however caused including by any act or omission on the part of Buildmedia Limited, and whether under contract, tort (including negligence), statute or any other basis for liability.  Buildmedia Limited are not responsible for the use of or reliance on the Disclosed Information by any party. Buildmedia Limited does not make any express or implied representation or warranty regarding the Disclosed Information or its accuracy. The provision of Disclosed Information to a party by Buildmedia Limited does not constitute any endorsement, verification or recommendation by Buildmedia Limited.

Information provided to Buildmedia Limited may be disclosed to third parties as required by law or where Buildmedia Limited considers disclosure to be in the public interest.

Contact us

Any inquiries regarding this policy should be directed to disclosure@buildmedia.com.