We take the security of our technical infrastructure very seriously. If you nevertheless come across something that you regard as a vulnerability in one of our technical systems or services, please let us know straight away, so that we can rectify the situation as soon as possible.
Have you found a vulnerability?
To prevent any kind of abuse by others of the potential vulnerability, we ask to respect the following guidelines of our Responsible Disclosure Policy:
- Mail your observations as soon as possible to firstname.lastname@example.org. You can send this in two languages: English or Slovenian.
- Encrypt your message using our PGP key so that the information can’t fall into the wrong hands.
- In your message, be complete and provide as much information as you can, so that we have the best possible chance of reproducing and resolving the problem you have encountered. In most cases, the IP address or URL of the system in question plus an outline of the vulnerability will be enough. However, a complex issue may require a detailed description (including screenshots, log entries, etc.).
- When reporting an issue, include at least an e-mail address that we can use to get in touch if we need additional details or clarification.
- Don’t use automatic scanners and do not change any data or system settings. Please ensure that any research you perform should not harm the operational performance of our systems. DDOS, social engineering attacks, installation of malware or viruses, password theft, fraud, etc. will be considered as an offence and will be transmitted to the authorities.
- Don’t share what you’ve found with anyone else until we’ve resolved the problem.
- Destroy any confidential information that may have come into your possession.
- Act responsibly with your knowledge of the security issue. Go no further than you should to in order to demonstrate the vulnerability to us. Don’t misuse the encountered security problem.
What can you test?
Suspected security vulnerabilities that can be misused for illegal purposes and which occur:
- Within our ICT-systems, services and networks.
What can you expect from us?
- If you follow the conditions set out above when reporting an issue to us, we will attach no legal consequences related to your research of that issue.
- We appreciate your help in optimizing the security of our systems and networks. That’s why we will do our most to have all contacts in a fair and respectful way:
- We will treat your report as confidential and we will not share your personal details with any third party without your consent, unless we are obliged to do so by law or by a court ruling.
- We will get in touch with you within 3 working days? (if you provided us valid contact information).
- We will keep you informed about progress in the resolution of the issue you have reported.
- We will undertake any necessary corrective action as soon as we can and we will seek to resolve all issues as quickly as possible.
- We don’t object that details concerning reported issues may be published from time to time, in as much as the issue has been resolved in the meantime and does not longer pose a problem.
- If you find a vulnerability, but do not follow the responsible disclosure rules set out above, we reserve the right to take action or legal proceedings and/or to report the matter to the police.
- Responsible disclosure is revealing vulnerabilities in a responsible manner in joint consultation between you and Registry .si based on this responsible disclosure policy.
Responsible disclosure policy version 1.0, dated 12 November 2021.
(*) In the drafting of this text, we have used the following templates provided by Floor Terra and Bugcrowd: