RESPONSIBLE VULNERABILITY DISCLOSURE POLICY

This policy aims to define a process by which security researchers can work with ORF to help improve the security of our products and services.

ORF takes security and the trust of our users very seriously. The responsible disclosure of security vulnerabilities helps us to ensure the security and privacy of our users. We are committed to thoroughly investigating and resolving security issues on our platforms and services.

This disclosure policy applies only to vulnerabilities in ORF products and services under the following conditions:

Any services hosted by 3rd party providers and services are excluded from scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

Unfortunately, due to ORF’s funding structure, it is not currently possible for us to offer a paid bug bounty program. We would, however, like to offer a token of our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy. Reporters of qualifying vulnerabilities will be offered a unique Company reward and special acknowledgement of achievements on the company’s website.

Responsible security researchers understand that the integrity and security of our customers is our priority and will work with ORF to ensure that all necessary vulnerabilities are resolved, and that customers have ample opportunity to deploy the fixes required before releasing information regarding their finding on a public forum, blog, or social media.

The ciso@orf.at address is only to be used for submitting potential product vulnerabilities. Regular product or service support should be directed to our contact E-mail kundendienst@orf.at.

If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance (please do not include any sensitive information in the initial communications): ciso@orf.at.

If you have discovered an issue which you believe is an in-scope security vulnerability (please see section above for more detail on scope), please e-mail ciso@orf.at including:

In accordance with industry convention, we ask that reporters provide a benign (i.e. non-destructive) proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately whilst also reducing the likelihood of duplicate reports and/or malicious exploitation for some vulnerability classes (e.g. sub-domain takeovers).

Please ensure that you do not send your proof of exploit in the initial, plaintext email if the vulnerability is still exploitable. Please also ensure that all proof of exploits is in accordance with our guidance (below), if you are in any doubt, please e-mail ciso@orf.at for advice.

Please read this document fully prior to reporting any vulnerabilities to ensure that you understand the policy and can act in compliance with it.

In response to your initial e-mail to ciso@orf.at you will receive an acknowledgement e-mail from ORF Security Team, usually within 72 hours of your report being received. The acknowledgment e-mail will include a ticket reference number that you can quote in any further communications with our Security Team.

A secure communication channel (e.g. S/MIME, PGP,...) is defined in the confirmation e-mail by ORF, which you can use for future messages containing sensitive information. Following the initial contact, our Security Team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability qualifies as per the above scope or is a duplicate report.

From this point, necessary remediation work will be assigned to the appropriate ORF teams and/or supplier(s). Priority for bug fixes and/or mitigations will be assigned based on the severity of impact and complexity of exploitation. Vulnerability reports may take some time to triage and/or remediate; you are welcome to enquire on the status of the process but please limit this to no more than once every 14 days, this helps our Security team focus on the reports as much as possible. Our Security Team will notify you when the reported vulnerability is resolved (or remediation work is scheduled) and will ask you to confirm that the solution covers the vulnerability adequately.

We will offer you the opportunity to feed back to us on the process and relationship as well as the vulnerability resolution. This information will be used in strict confidence to help us improve the way in which we handle reports and/or develop services and resolve vulnerabilities. We will also offer to include reporters of qualifying vulnerabilities on our acknowledgments page and we'll ask for the details you wish to be included.

This policy is designed to be compatible with common good practice among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause the ORF to be in breach of any of its legal obligations, including but not limited to:

ORF will not seek prosecution of any security researcher who reports in good faith and in accordance with this policy, any security vulnerability on an in-scope ORF service.