Vulnerability Disclosure Policy

Ironstar is committed to ensuring the security and protection of its data and its customers' information, and the ongoing integrity of Ironstar products and services. Ironstar welcome the engagement of the security community in the pursuit of bringing awareness to security vulnerabilities in our platform and services.

The Vulnerability Disclosure Policy (VDP) provides guidelines for security researchers to share their research findings with Ironstar. It outlines how to conduct valid research activities, what systems are covered, where to send vulnerability reports and how long to wait before publicly disclosing vulnerabilities.

Guidelines

Under this policy, "security research" are activities in which you:

• Conduct research test activities on Ironstar products and services in which you have lawful authorised access.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit for gain, to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Notify Ironstar as soon as possible after you discover an active or potential security issue.
• Submit a quality report with enough information to allow Ironstar to be able to recognise or remediate the vulnerability.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Research test methods

The following research methods are not authorised:

• Tests that impair access to or damage a system or data – such as network denial of service (DoS or DDoS).
• Non-technical vulnerability testing – such as physical testing (e.g. office access, open doors, tailgating) and social engineering (e.g. voice (vishing) or sms (smishing) phishing).
• Any activity that violates any law.

Scope

This policy applies to the following systems and services:

• ironstar.io - including the following subdomains:

  • api.ironstar.io
  • uploads.ironstar.io
• tokaido.io

• Ironstar open source tools

  • Tokaido - https://github.com/ironstar-io/tokaido
  • Ironstar CLI - https://github.com/ironstar-io/ironstar-cli
• Any customer environment you have been granted access to for the purposes of security research
• Any SSH Proxy endpoint you have been granted access to for the purposes of security research

This policy strictly excludes customer sites hosted by Ironstar including those under the following subdomains:

• *.au1.ironstar.io
• *.eu1.ironstar.io
• *.us1.ironstar.io

Ironstar ask that security research only be conducted on the systems and services listed in the scope of this document. You must not test customer sites or infrastructure unless directly requested to do so by those customers, or by following their own security research or discovery policy. Ironstar will adjust the scope of this policy over time as necessary. If there is a particular system not listed in scope that you think merits testing, please contact Ironstar first before conducting your research activities at [email protected].

Vulnerabilities found in systems from our vendors fall outside of this policy’s scope, however Ironstar welcomes reports of this nature. We encourage you to report directly to the vendor according to their disclosure policy.

Submitting reports

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities.

If your findings include discovered vulnerabilities that affect all users of a product or service and not solely Ironstar, we may share your report with pertinent parties (including the Australian Cyber Security Centre (ACSC) when warranted), where we will contribute to any coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

We accept vulnerability reports at [email protected]. We do not support PGP-encrypted emails. For particularly sensitive information, submit through our HTTPS web form.

Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days and keep you informed during the remediation process on your request.

Recommended report content

To aid in the triage and resolution of submissions, Ironstar request that your report is in English (if possible) and includes information such as:

• The location (system, service) of where the vulnerability was discovered
• If relevant, whether the vulnerability was found in a vendors system
• A description of the potential impact of exploitation

• Detailed explanation of the steps to reproduce the vulnerability, including any of the following supporting information where applicable:

  • any test accounts created
  • screenshots
  • proof-of-concept code

Communication from Ironstar

If you choose to share your contact information, Ironstar is committed to open and transparent communication.

• Ironstar will acknowledge receipt of the report within 3 business days.
• To the best of our ability, Ironstar will confirm the existence of the vulnerability to you and communicate what steps we are taking during the remediation process as much as possible.
• Ironstar welcome any discussions, and can communicate any issues, challenges or delays to the resolution of your report.

Ironstar generally do not offer financial remuneration for conducted research except under a pre-existing arrangement, however exceptions to this may be made for significant vulnerabilities at our sole discretion.

Questions and feedback

Any questions or feedback about this policy may be sent to [email protected].