This article is written for independent security researchers.
We welcome independent security researchers to perform controlled testing on Deputy’s environment, under limited circumstances.
The terms below are designed to create certainty for those wishing to perform security research work on the Deputy platform, as well as to establish a safe set of rules that encourage collaboration.
Registration
- Security researchers MUST register with Deputy prior to undertaking any security testing.
- Registration is via email at security@deputy.com.
- Registration details MUST include email addresses and sufficient contact details to allow Deputy to make contact and get a response within 15 minutes, in the event that testing is causing an operational or customer-impacting issue.
- Registration will also include the Deputy target instance(s) used for testing, and the timeframe of testing (minimum 4 weeks in advance). If the target instance is a trial instance, we can extend the trial period to accommodate the testing.
Testing
- Any testing outside of the timeframe window registered will be considered hostile, and we may at our discretion perform any action to protect Deputy and the customer’s instance and data, up to and including blocking traffic and suspending the customer’s service
- Testing must be designed to be non-destructive and not create an impact on other customers. This means the following is explicitly out of scope for testing:
- Denial of Service or any other form of load or stress-based testing.
- Testing against https://once.deputy.com/ or any other Deputy asset that is used by multiple customers.
- Any form of testing that may expose customer data from any other Deputy customer, or Deputy intellectual property. If testing reveals this, then the test must cease and a finding provided to Deputy.
- Researchers must cease all testing activity on request by Deputy. The researcher will assume all liability for any testing activity occurring after a request to suspend testing is received and acknowledged. For the avoidance of doubt, it is expected that any email or phone message will be considered acknowledged within 15 minutes of delivery to the researcher’s technical contact for testing.
Reporting
- Researchers must provide a report to Deputy on security@deputy.com within 14 days of testing being completed.
- The report will list all testing performed and all findings.
- Deputy will work with the customer to resolve any findings, and may at its discretion request a re-test of findings to verify resolution or de-risking of a finding.
- Any findings of severity medium or higher must be reproducible, and sufficient code, data, or commands must be provided so that the finding can be independently reproduced.
- Researchers will keep the results of testing confidential, and findings may only be released publicly with the written consent of the Deputy Head of Security. This also applies to areas such as bug bounty responses, Critical Vulnerability Exploit (CVE) requests, and other responsible disclosure processes.
- Any publication of findings may reference or provide credit to the customer or their testing group as appropriate. Deputy will commit to responsible disclosure of any finding that warrants a security bulletin, at our discretion.
- Deputy is under no obligation to pay a bug bounty, donation, or any other form of compensation for delivered research work.
- Deputy will strive to recognise well-produced and presented research work consistent with the terms above, either through Security Bulletins or other means of compensation as it sees fit.
Finally, a reminder to independent security researchers that by creating a trial account, you are also accepting Deputy’s terms of service, which explicitly excludes penetration testing attempts.
This policy is written for clarity of your's and Deputy’s rights in this situation so that there is understanding about how you may work with us on security. We write this for your protection and ours so please co-operate with us in your work so that we can create a thriving workplace.