Coordinated disclosure policy

At RINO we give great importance to the security and privacy of all our stakeholders, it is part of our job to do our best to ensure all our systems are well protected and the data we hold is safe.

An important component of this task is to discover any kind of mal-function or mis-configuration in our systems that may affect or compromise RINO and its users. On this matter we acknowledge the importance of the work being done by independent security researchers and we are willing to work with them to achieve this goal as long as everybody acts in good faith.

We try to respond, investigate and address any bug/vulnerability report in a timely fashion, in order to be responsible to our users and to respect the effort of the person making the report.

Below you can find all the details about how to correctly make a report.

Process

To initiate the reporting process you should gather all the information you collected about the vulnerability in an email message and send it to security@rino.io.

  • The components that are affected
  • Any preconditions you believe to be required
  • The steps you took to trigger the bug

For high severity issues that can easily be exploited, we would appreciate if the email content is encrypted first. You can get our PGP public key here and confirm it has the following fingerprint: 45F1609889F596FA8715C86A4C885C751EEFDA9A

Note: You can also include information about your PGP key, to keep all further discussion private.

Our commitment

We respect your work, so you can count on us to:

  • Respond in a timely manner, acknowledging your report as soon as we receive it and letting you know about the status of our internal investigation in the first 48h
  • Provide you with a real timeline for the resolution of the problem
  • Notify you when it is solved or when there is any delay
  • Acknowledge your contribution publicly.

Actions we do not allow

While we welcome most bug and vulnerability reports, we expect them to be found in a responsible way, so there are certain conducts we explicitly do not allow such as:

  • Intentional attempts to cause denial of service to our production systems
  • Performing actions that negatively affect RINO and/or its users, including accessing, modifying or destroying information that does not belong to you.
  • Any kind of non-technical attacks such as social engineering or phishing
  • Spamming in public zones within the service (chat rooms, forums, etc)

Acknowledgements and Rewards

All accepted reports will automatically be acknowledged by us on a dedicated public page for this matter (acknowledgments). This acknowledgement will contain the author’s name (or identifier), date and the type of bug/vulnerability found.

In case you do not want to be added to the page, please mention it on the email exchanges during the reporting process.

Other kinds of prizes might be awarded, the decision will be made by a dedicated internal team and will be based on the following criteria:

  • Severity: The possible damage to RINO and its users
  • Impact: The amount of affected users
  • Exploitability: How easy would be to exploit such vulnerability
  • Report quality: Overall level of detail and clarity of the report

We don’t expect to award this extra prizes on all cases, it is intended for exceptional reports.