Open Nav

Vulnerability Disclosure Policy

LINX holds the personal data of those people it interacts with in line with appropriate privacy policies. Different policies apply depending on the context in which LINX interacts with you. These have been developed to comply with the principles of the GDPR

Categories

Purpose

LINX welcomes investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers. We are committed to:

  • thoroughly investigating and resolving security issues in our platform and services
  • working in collaboration with the security community
  • responding promptly and actively

Scope

We are interested in vulnerabilities in the following online platforms provided by LINX:

These should focus on Breaches of Confidentiality, Integrity or Availability of our Members, suppliers and/or staff in any meaningful way.

The ‘in scope’ vulnerabilities must be original, previously unreported, and not already discovered by internal procedures.

The policy applies to everyone including, for example, LINX staff, third-party suppliers, and general users of LINX public services.

Out of Scope

There are a number of vulnerabilities that are out of the scope of this policy, including:

  • Volumetric vulnerabilities – meaning that simply overwhelming a service with a high volume of requests
  • Non-exploitable vulnerabilities, or reports indicating that our services do not fully align with “best practice”, for example missing security headers
  • SPF/DKIM/DMARC configuration
  • TLS configuration weaknesses, for example, “weak” cipher suite support or the presence of TLS1.0 support
  • Customers of LINX or non LINX sites hosted behind our infrastructure
  • Any vulnerability obtained through the compromise of a LINX member or employee account
  • Physical attacks against LINX employees, offices, and data centres
  • Social engineering of LINX employees, contractors, vendors, or service providers

Reporting a Vulnerability

If you have discovered something you believe to be an in-scope security vulnerability, then submit a vulnerability report to soc@linx.net

Your report should provide:

  • Valid contact information for the reporter
  • Detailed steps to reproduce the vulnerability
  • A short description of the vulnerability’s potential security impact
  • Messages can optionally be encrypted to using our Public PGP Key

 

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBF9x6I8BEACWDO60PXinzfqGlUK7j+Twty4CxcLX1zXmEvHFEDjxuPeLj+vL
5ha7bVSDEkH0VzEXwxx9Z54NaioTgNJmgYY03eIclv9fs5b8sB7/8W+v+ozpA6cz
DSBKLjNb0lnASdvt/U8tGoO3h9V/duXOY+OM+g6mormI4d8n0ZK5qxEeLJ4L6XBQ
uVH6/aWhe6XsX5ZeYzl75nXXnX/mXsqy4BSU6z7xvbqX41pTbGx0G/TR1PctFL+V
OtScAyYNmX5iaw2q0NQmScwJL49RlWB9ADqCAzsqGwkgii7NOPF+MBoRvzzF3TlX
TPFpTdDkN7nPZ/dQrzNun6jA72Z4MicxhCEkvDUPYRG825j9Z7nC/bhGxOSByVSF
5lYF1jVU1d7yUHnCpwc/adg7R81WdMgBolou8JqsOEhzS3eYsdlfeLPxzz4ge4jJ
DJQ5f32adrj4xpmaeoc5fhq8bu7+6mH10058McVI1R017HcrMliYWjvMdmU8Gzpe
c6FEjUT/9F9h1cwYa72CFBMpgGbPiPIUo9VJGM9psBAbF/upQt5bWuuyLmedLhcl
p8u9/CSO/83cD7ozlCZKOIQL/pzL63jXQg3VAg3dHnQDmgrGwd0KbfGwoULOUvmA
Lc+AeBemzIr1cnwdxeZyjUe8W7olXxcDOW4ceyW4vnbtZfIULUSHTfQKzwARAQAB
tC5MSU5YIFNlY3VyaXR5IE9wZXJhdGlvbnMgQ2VudHJlIDxzb2NAbGlueC5uZXQ+
iQJUBBMBCgA+FiEED9cIpHkxNLw3JqQ0Di5jR8YDf24FAl9x6I8CGwMFCQeGH4AF
CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQDi5jR8YDf24zLQ//VjWt5aK62lsX
+ZQASNGvIzPgNcMUCgZCBVO0SGEA+sR/XMeADk+DAOyXT8FNE6P57QVfCLrbTOo0
ibfWHed/b3pQW6cOgba7qbWdj86hL0nz/jVROO9Sz+dQSK6pafN5yo1o5lomQOxm
Woh7USBo5PztR1eLUTInW8CmXm2Xdaot210N6ePN7zyPihi9oN5Pp+g7cKDJY+8g
4wfQ5kOAhVkbHJ894Uio3rLm1R0lE3T1Iswx/YZAnimcN0QqU32frUL5lAmOiUpD
nRpWQVzgWNgS8UJnnb/LWBRGFUk/PsVHgExFz1OGsSG91HxCX3P+Esd7dKfD46Rh
+3maBy4JdyjfjbmnFWFDRALKR0Gcug1VxQFfJYnkkhj675ymcwrUL0OqaJ83YvT3
tnJ7B+p7Z8TuP86ooCov2sCv6ubBzRBdwxQUlXhO5hxxcLY8c8jvbYq/BzMnM6vv
bgOFb1ECPg5gqijetV9UMAcXceyeTLY2Xqa55/nGKXYEUBMa9M6//FqOwHy/k48y
h5txfHnzONc+NPEbX6LwgPXZ5D39irktB4jLILYsSAPQUwJuWZdhdpcUYv2LvDm6
LhsCquAeigk05XAi7t2vNvJjs0eMX+Fr48rM6/sOsJDrpN8dZGdtge87clDZ63Ax
lcNsS0Ack8oSf2ubNPVkYAHgpy8Rjcu5Ag0EX3HojwEQAMADK8p71plmsazlM/13
DH7tSv0biJf6e4os0UqtU8djDLHibgWyWGqG752t7QWLwHX3OLLZf9DR4vZLNJTA
d2wJs1Be5D7fKrtdGol1vUhuPRlLstFDc72OG7IeVFqSFAmZERZgH45CWWreAEYi
BmZBURSylGeFjsj5Q8HIjG7iW7pK5CvYRKf6W+NuUVXKL2uYuvEbY1eja1gqoPXw
+0NOKgOGE3ugGJYAlVdu4U41IXjtLRtmwqlh3PkUV5ImIkFZu9WdqB2Ah0PXaV4n
HJL0ebsd7rBWJUCxIM/8mNGJ6I8bqEiiEplclX/p84nkHARcd17K+9V6zFurfb9x
mXIq5RiaLDRmh2TVng4Iigv8bUjGVUUv7lkABgYsDaIOL4W8Dl2HsiGpgUDcqrBJ
7aEqYTb2FwbsrDwwq+mAwTh2585tiESBFRM7zPfWn9BAsuNUaXTKQ4onWjY8MoQu
7u8Eca77Ai4a/q6Z4oPI3+yTbl+yN8sNlY2kOthrDpk55rgT5m+PTbdEnWgWUvC3
bxbgEcYClnbY9uFjUAqP6M90RFmTdPk228abcV2Euv+D+zS9xA/WCxgT0lT8fCx3
ePS3svzVAb4hpyl6CU826odAeWBfUKZOVnuH6G4LW4kuLvgy0d7goOe3H8GYOfc3
9PeDZD3IXCKMr7sjMuPJk3epABEBAAGJAjwEGAEKACYWIQQP1wikeTE0vDcmpDQO
LmNHxgN/bgUCX3HojwIbDAUJB4YfgAAKCRAOLmNHxgN/bmp7D/9Sto4mLvwj0g+h
91rjHv9nzBDMtFL9WQHx2MYocx2YjwIfFuFnEvZzBPCZIEPEB4nYOO7LDR1LQ/EZ
da8zWKbZXxDpduN9gFSAVyQNy1vrTpi9AE2XNpLri0X662RAor69wXaxjWNJK6rr
adMIKjwD5TMHoqGB6Njf6Gf3s9VsTzvbejy9FDDou4LCzfM4kdNQwL9xUN8AP9Fr
ZXYzDaPj3EZ7CyYJwuMVWxHj84AyG7aroGmwU8ByzQyHy+D3z5V0OfUDSwGQYHXK
RE5UaLWJEdQRjp8ZumVm3O13/ZleFqqxHypUGXqj98QzMtdunMz8P5DJKYhFCn9f
SzCzRqZZzJdkiAIw9pNtHotQNcE2yF7OvVXG4cIRiln3Cp0TdewBvNFKO5hfarL0
gM2QV7PU2pL/ZB4ygOh39H6CQHbr7xySAY+E58zJ7BHgVeeFAjibxmPim2IVNvbB
JnDF+TOBN5ifef8cwxCtQshhRiuqphPt6yNGkyQCeOZNPIK4obrGPcpzkskE83Mn
LiOGDAlOhguIiKYt8iSElnkAskZD/VDhFFhzlzIqBBO08W5ik1Shu1okah0/vBWc
iDnOhR1q9jFpYB5/A0KQgEgLedDtB/02NjNMJTlxSCIWRUeg86Ebu9ogecWfBak1
WlO55wlzbhrHmvVA7moElhjZVd946g==
=KMvc
—–END PGP PUBLIC KEY BLOCK—–

Bug Bounty

LINX will make efforts to show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can. We may offer a small monetary reward for every verifiable report of a security problem that was not yet known to us and which meets the conditions described in this policy. The amount of the reward will be determined based on the severity of the issue, and the quality of the report. Lastly, note that only the first person/entity reporting an issue may be eligible for such a reward.

What to Expect

After submitting your vulnerability report, you will receive an acknowledgment reply usually within 24 working hours of your report being received.

The VTAG (Vulnerability & Threat Assessment Group)  will triage the reported vulnerability, and respond as soon as possible to let you know whether further information is required, whether the vulnerability is in or out of scope, or is a duplicate report. If remediation work is necessary, it is assigned to the LINX team or supplier(s), supported by the VTAG team.

Priority for bug fixes or mitigations is assessed by looking at the impact severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire about the status of the process but should avoid doing so more than once every 14 days. The reason is to allow our teams to focus on the reports as much as possible.

When the reported vulnerability is resolved, or remediation work is scheduled, the VTAG team will notify you, and invite you to confirm that the solution covers the vulnerability adequately.

You are particularly invited to give us feedback on the disclosure handling process, the clarity and quality of the communication relationship, and of course the effectiveness of the vulnerability resolution. This feedback will be used in strict confidence to help us improve our processes for handling reports, developing services, and resolving vulnerabilities.

Submit a Vulnerability Report
Website by Echo
Email
Call