This policy shall govern any and all information security breach or vulnerability occurred within the operations of WMC affiliates and other controlled entities.
This policy sets out the processes to report to WMC’s staff any data breach, suspicion of a data breach, or a vulnerability found on one of WMC’s systems. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information. A vulnerability is any flaw that can be found on a system that could lead to a data breach or to an interruption of the provided service. The adherence to this Procedure and Response Plan will ensure that WMC can contain, assess and respond to data breaches or vulnerabilities expeditiously and mitigate the potential harm that it can produce.
For WMC, maintaining the confidentiality, integrity, and availability of our information and systems is very important. We appreciate the work done by security researchers that help us improve our security measures. That’s why we want to have a clear process for you to report vulnerabilities or security breaches. All vulnerabilities and/or security breaches must be reported to: firstname.lastname@example.org
WMC encourages security researchers to report any vulnerability or security breach that you believe you might have found. All the reports submitted in compliance with this policy will be investigated and any issue that might be encountered will be resolved as soon as possible. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research.
The following items describe the actions that researchers must, may and must not do on their testing methods:
Security researchers must:
● cease testing and notify us immediately upon discovery of a vulnerability.
● cease testing and notify us immediately upon discovery of an exposure of nonpublic data.
● purge any stored WMC nonpublic data upon reporting a vulnerability.
Security researchers may:
● View or store WMC’s nonpublic data only to the extent necessary to document the presence of a potential vulnerability.
Security researchers must not:
● Test any system other than the systems set forth in the scope systems listed below.
● disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below.
● engage in physical testing of facilities or resources.
● engage in social engineering.
● send unsolicited electronic mail to WMC’s users, including “phishing” messages.
● execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks.
● introduce malicious software.
● test in a manner that could degrade the operation of WMC’s systems; or intentionally impair, disrupt, or disable WMC’s systems.
● delete, alter, share, retain, or destroy WMC’s data, or render WMC’s data inaccessible.
● use an exploit to exfiltrate data, establish command-line access, establish a persistent presence on WMC’s systems.
We’ve determined that the following scope of systems that are accepted as being researched: https://wmc-us.com/
● Researchers are allowed to submit reports anonymously, although any preferred contact method is welcomed in order to clarify any reported vulnerability information or another technical interchange.
When reporting a vulnerability or a security breach, a detailed technical description of the steps to reproduce it, including tools, images, and any other documentation that may be attached to reports is desired.
The Information that should be provided (if known) at this point includes:
1. When the breach occurred or vulnerability has been exploited (time and date).
2. Description of the breach/vulnerability (the type of personal information involved).
3. Cause of the breach (if known) otherwise how it was discovered.
4. Which system(s), if any, are affected?
5. Which project/area/task is involved?
WMC will determine the severity based on the following criteria:
1. The type and extent of personal information involved
2. Whether multiple individuals have been affected
3. Whether the information is protected by any security measures (password protection or encryption).
4. The person or kinds of people who now have access
5. Whether there is (or could there be) a real risk of serious harm to the affected individuals
6. Whether there could be media or stakeholder attention as a result of the breach or suspect breach