Categories
Purpose
LINX welcomes investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers. We are committed to:
- thoroughly investigating and resolving security issues in our platform and services
- working in collaboration with the security community
- responding promptly and actively
Scope
We are interested in vulnerabilities in the following online platforms provided by LINX:
These should focus on Breaches of Confidentiality, Integrity or Availability of our Members, suppliers and/or staff in any meaningful way.
The ‘in scope’ vulnerabilities must be original, previously unreported, and not already discovered by internal procedures.
The policy applies to everyone including, for example, LINX staff, third-party suppliers, and general users of LINX public services.
Out of Scope
There are a number of vulnerabilities that are out of the scope of this policy, including:
- Volumetric vulnerabilities – meaning that simply overwhelming a service with a high volume of requests
- Non-exploitable vulnerabilities, or reports indicating that our services do not fully align with “best practice”, for example missing security headers
- SPF/DKIM/DMARC configuration
- TLS configuration weaknesses, for example, “weak” cipher suite support or the presence of TLS1.0 support
- Customers of LINX or non LINX sites hosted behind our infrastructure
- Any vulnerability obtained through the compromise of a LINX member or employee account
- Physical attacks against LINX employees, offices, and data centres
- Social engineering of LINX employees, contractors, vendors, or service providers
Reporting a Vulnerability
If you have discovered something you believe to be an in-scope security vulnerability, then submit a vulnerability report to soc@linx.net
Your report should provide:
- Valid contact information for the reporter
- Detailed steps to reproduce the vulnerability
- A short description of the vulnerability’s potential security impact
Bug Bounty
LINX will make efforts to show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can. We may offer a small monetary reward for every verifiable report of a security problem that was not yet known to us and which meets the conditions described in this policy. The amount of the reward will be determined based on the severity of the issue, and the quality of the report. Lastly, note that only the first person/entity reporting an issue may be eligible for such a reward.
What to Expect
After submitting your vulnerability report, you will receive an acknowledgment reply usually within 24 working hours of your report being received.
The VTAG (Vulnerability & Threat Assessment Group) will triage the reported vulnerability, and respond as soon as possible to let you know whether further information is required, whether the vulnerability is in or out of scope, or is a duplicate report. If remediation work is necessary, it is assigned to the LINX team or supplier(s), supported by the VTAG team.
Priority for bug fixes or mitigations is assessed by looking at the impact severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire about the status of the process but should avoid doing so more than once every 14 days. The reason is to allow our teams to focus on the reports as much as possible.
When the reported vulnerability is resolved, or remediation work is scheduled, the VTAG team will notify you, and invite you to confirm that the solution covers the vulnerability adequately.
You are particularly invited to give us feedback on the disclosure handling process, the clarity and quality of the communication relationship, and of course the effectiveness of the vulnerability resolution. This feedback will be used in strict confidence to help us improve our processes for handling reports, developing services, and resolving vulnerabilities.
