Vulnerability Disclosure Policy
Introduction
At FieldKit, the security of our open-source hardware and software is a top priority. We understand the importance of the community’s role in helping to keep our products secure and user-friendly. This Vulnerability Disclosure Policy aims to guide responsible disclosure of potential security vulnerabilities by well-intentioned security researchers.
Scope
This policy applies to any digital services offered by FieldKit, including:
- FieldKit hardware and any embedded software/firmware
- The FieldKit website and any related web services
- Mobile applications
- Any FieldKit-provided APIs
Any vulnerabilities discovered in any product or service outside the scope of FieldKit should be reported to the appropriate vendor or maintainer.
Guidelines
We request that all researchers:
- Notify us as soon as possible after discovering a potential security issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the community or public.
- Avoid accessing or modifying data that does not belong to you.
- Avoid scanning or testing within a manner that could degrade the performance of our services.
- Avoid the use of any malware or exploit that could harm the integrity or performance of our services or data.
- Keep confidential the issue details until a coordinated disclosure can be made.
How to Report a Vulnerability
Please report potential vulnerabilities by emailing us directly at security@fieldkit.org with the following information:
- A clear description of the vulnerability, including any potential impact.
- Detailed steps to reproduce the vulnerability (Proof of Concept scripts, screenshots, and compressed screen captures are all acceptable).
- Contact information for further communication.
We pledge to respond promptly to your report and work with you to understand and address the issue responsibly.
What You Can Expect From Us
After you report a vulnerability, FieldKit will:
- Acknowledge receipt of your report within 5 business days.
- Review your report and work with you to understand the impact.
- Prioritize the reported issue and determine a timeline for the fix based on severity.
- Communicate with you throughout the resolution process.
- Recognize your efforts on our social media, blog, or the code acknowledgments, if you wish your name to be published.
Please note that as a not-for-profit endeavor, FieldKit cannot provide financial compensation for vulnerability reports (i.e. we cannot pay “bug bounties”).
Legal Assurance
If you follow the guidelines above, FieldKit will not pursue legal action against you in regard to the report. We will consider your actions to be conducted in good faith, and we will work with you to understand and resolve the issue quickly.
Conclusion
Our Vulnerability Disclosure Policy ensures that FieldKit collaborates with the community and security researchers to avoid any negative impact on the security of FieldKit and associated services. We welcome the contribution of external security researchers and believe that their efforts should be openly recognized.
Thank you for helping us keep FieldKit and our services safe and secure.
Please note that this policy may be revised at any time without notice, and FieldKit reserves the right to modify the terms and conditions at its discretion.
For any questions or suggestions about this policy, please contact security@fieldkit.org.