Introduction
The Government of Alberta is committed to ensuring the security of the public by protecting their information from unwarranted disclosure. This standard is intended to give third parties clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this standard, how to send us vulnerability reports, and how long we ask third parties to wait before publicly disclosing vulnerabilities.
We want third parties to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this standard – so we can fix them and keep our users safe. We have developed this standard to reflect our values and uphold our sense of responsibility to third parties who share their expertise with us in good faith.
Authorization
Unless required by law, if you make a good faith effort to comply with this standard during your security research, we will consider your research to be authorized and we will work with you to understand and resolve the issue quickly.
Guidelines
Under this standard, “research” means activities in which you:
- notify us as soon as possible after you discover a real or potential security issue
- make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
- only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems
- provide us a reasonable amount of time to resolve the issue before you disclose it publicly
- you do not intentionally compromise the privacy or safety of Government of Alberta personnel (employees or contractors), or any third parties
- you do not intentionally compromise the intellectual property or other commercial or financial interests of any Government of Alberta personnel or entities, or any third parties
Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Scope
Systems and services associated with domains and sub-domains of Alberta.ca are in scope. Additionally, any website published with a link to this policy shall be considered in scope. Websites not explicitly listed here or published with a link to this policy are considered out of scope for this policy.
Vulnerabilities found in non-Government of Alberta systems from our vendors fall outside of this directive’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you are not sure whether a system or endpoint is in scope or not, contact GOA Cybersecurity before starting your research.
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
Rules of engagement
Third parties must not:
- test any system other than the systems set forth in the ‘Scope’ section above
- disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below
- engage in physical testing of facilities or resources
- engage in social engineering
- send unsolicited electronic mail to Government of Alberta users, including “phishing” messages
- execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks
- introduce malicious software
- test in a manner which could degrade the operation of Government of Alberta systems; or intentionally impair, disrupt, or disable Government of Alberta systems
- test third-party applications, websites, or services that integrate with or link to or from Government of Alberta systems
- delete, alter, share, retain, or destroy Government of Alberta data, or render Government of Alberta data inaccessible
- use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Government of Alberta systems, or “pivot” to other Government of Alberta systems
Third parties may:
- view or store Government of Alberta nonpublic data only to the extent necessary to document the presence of a potential vulnerability
Third parties must:
- cease testing and notify us immediately upon discovery of a vulnerability
- cease testing and notify us immediately upon discovery of an exposure of nonpublic data
- purge any stored Government of Alberta nonpublic data upon reporting a vulnerability
Reporting a vulnerability
Reports may be submitted anonymously. We do not support PGP-encrypted emails at this time.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Government of Alberta, we may share your report with the the Canadian Security Intelligence Service. We will not share the researcher’s name or contact information without their express permission or as required by law.
By clicking “Submit Report,” you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Government of Alberta information systems, and consent to having the contents of the communication and follow-up communications stored on a Government of Alberta information system.
In order to help us triage and prioritize submissions, we recommend that your reports:
- adhere to all legal terms and conditions outlined on this page
- describe the vulnerability, where it was discovered, and the potential impact of exploitation
- offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful)
Disclosure
Government of Alberta is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for at least 90 days after you have received our acknowledgement of receipt of your report, or longer if deemed necessary by the GOA, and upon notice to you. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.
We may share vulnerability reports with the Canadian Security Intelligence Service (CSIS), as well as any affected vendors. We will not share names or contact data of third parties unless given explicit permission.