Vulnerability Disclosure Program
VDP PROGRAM OVERVIEW
The INE Vulnerability Disclosure Program (VDP) is one that allows finders* to contact us if a vulnerability is identified on any of our systems or platforms without fear of legal action or retribution under the protection of Safe Harbor**.
It is important to note, if any security concerns are identified while accessing any INE platforms or systems intentionally and without permission, this is an illegal act. The INE VDP is intended to protect those who are accessing our systems in ethical ways and with good intentions.
If a finder identifies a vulnerability, we ask that you please submit a report below. Once the form has been submitted, our teams will evaluate the submission for further action. We take every VDP report very seriously and strive to ensure we are taking the right steps to mitigate future risks and resolve reported vulnerabilities.
HOW TO SUBMIT A REPORT
All vulnerabilities must be reported through the INE VDP form below. In your submission, please provide a detailed summary of the vulnerability and include step-by-step instructions to reproduce the issue, a proof-of-concept, impact of the issue, and suggested mitigation or remediation actions. Reports may be submitted anonymously.
By clicking “Submit Report,” you are indicating you have read, understand, and agree to the terms and conditions of the program. This program has been designed solely for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to publicly accessible INE information systems.
REVIEW & REMEDIATION PROCESS
Upon receipt of the report, the finder will receive an acknowledgement of their submission or a request for more information on what was identified within 10 business days. If a vulnerability has been validated, the finder will be notified and given a timeframe for remediation.
Depending on the complexity or severity of the repair, the solution could take weeks or months to complete. A standard turnaround is 45 business days. In the event the repair takes longer than the standard timeframe, INE will discuss the disclosure process with the finder who identified the vulnerability.
If an out-of-scope*** submission is received, it will be accepted and acted upon appropriately but will not be eligible for disclosure.
TERMS & CONDITIONS
Any testing or reporting you undertake constitutes your agreement to all terms and conditions of the program.
- You will not exploit vulnerabilities. This includes taking any action beyond the minimal amount of testing required to prove a vulnerability exists or to identify an indicator related to a vulnerability. Examples of action taken beyond those mentioned above include downloading or accessing more data than needed to demonstrate the vulnerability, deleting or modifying data, or looking into third-party data.
- If you encounter any high risk data such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or other confidential information, you will cease testing and submit a report immediately.
- You will avoid intentionally accessing the content of any communications, data, or information transiting or stored on a INE information system or systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists. An information system is classified as a set of information resources for collecting, processing, maintaining, using, sharing, disseminating information.
- All information relating to the vulnerabilities discovered through the VDP is considered confidential information. You will not disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written authorization from INE.
- You will not exfiltrate any data under any circumstances.
- You will not intentionally compromise the privacy or safety of INE personnel, or any third parties.
- You will not intentionally compromise the intellectual property or other commercial or financial interests of any INE personnel or entities, or any third parties.
- If during your research you are inadvertently exposed to information the public is not authorized to access, you will effectively and permanently erase all identified information in your possession as directed by INE and report to INE that you have done so.
- You will not conduct denial of service testing.
- You will not conduct physical testing (e.g. office access, open doors, tailgating) or social engineering, including spear phishing, concerning INE personnel or contractors.
- You will not submit a high-volume of low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with our team.
This policy does not grant authorization, permission, or otherwise allow express or implied access to INE information systems to any individual, group of individuals, consortium, partnership, or any other business or legal entity. However, if a finder working in accordance with the terms and conditions of this VDP discloses a vulnerability, then: (1) INE will, in the exercise of its authorities, take the following steps to: (1) not initiate or recommend any law enforcement action or civil lawsuits related to such activities against that finder, and (2) Inform the pertinent law enforcement agencies or civil plaintiffs that the finders activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of the program.
You must otherwise comply with all applicable Federal, State, and local laws in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the program or the law. If you engage in any activities that are inconsistent with the terms and conditions of the program or the law, you will not be considered a finder and may be subject to criminal penalties and civil liability.
To the extent that any finding or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-INE entity (e.g., other private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-INE entity may independently determine whether to pursue legal action or remedies related to such activities.
INE is not responsible for determining whether action is taken by a third party or what action will be taken, if any. If INE is notified of a vulnerability in a third party product, we will respond to the original submission within 10 business days, but it is not the responsibility of INE to remediate or fix the vulnerability. This responsibility falls under the third party.
INE may modify the terms and conditions or terminate the program at any time.
*A finder is defined as someone who has inadvertently discovered a security issue and needs help understanding where to report findings in a way that balances their legal safety with the knowledge the issue has been addressed. A finder can also be defined as someone who is part of the security community that inadvertently found a security issue but wants his or her peers to be aware of their findings, allowing proper remediation to take place. A finder is not someone who intentionally searches for vulnerabilities in an effort to receive financial compensation or credit.
**Safe Harbor is a term used to describe a clause or statute which has been added to public policy allowing individuals to act in good faith while participating in conduct deemed not to violate the policy or given rule. This term is most commonly used in relation to acts conducted while abiding by more standard or vague policies. The concept of a Safe Harbor is growing in importance in the world of technology and the internet; more specifically the world of hacking. Many laws related to hacking were established prior to the concept of hacking for good. We now live in a time where, in addition to those who hack unethically, many people have made careers of using their hacking skills for good and to prevent those with bad intentions from getting in. An example of a Safe Harbor related to hacking would be someone hacking a system to conduct security-based research in an effort to identify potential vulnerabilities, but doing so all in good faith and with the permission of the organization administrator.
***Out-of-scope refers to a non-exhaustive list of systems and security testing activities that the organization strongly wishes to discourage testing against.