Vulnerability Disclosure Policy

Introduction

At SWARM we take the security of our systems and data seriously. We recognise the importance of working with security researchers and members of the wider community to identify and address potential vulnerabilities in our systems. This Vulnerability Disclosure Policy outlines how individuals can report security vulnerabilities they discover in our systems or services, and how we will handle such reports.

Scope

This policy applies to all systems, applications, websites, and services owned or operated by SWARM.

Purpose

This policy establishes guidelines for identifying, assessing, and mitigating vulnerabilities in SWARM’s information systems. The objective is to maintain a secure environment, protect sensitive data, and respond effectively to potential threats.

Vulnerability Identification

Regular vulnerability assessments and scans will be conducted on all information systems. The Common Vulnerability Scoring System (CVSS) will be used to assess the severity of identified vulnerabilities.

Responsible Disclosure:

We encourage responsible disclosure of security vulnerabilities. If you discover a vulnerability in any of our systems, we ask that you:

  1. Submit a Report: Submit a detailed report of the vulnerability to our security team via email at security@swarm.eco. Please include a description of the vulnerability, steps to reproduce it, and any additional information that may help us understand and address the issue.
  2. Provide Reasonable Time: Allow us reasonable time to assess and address the reported vulnerability before making any information about it public or sharing it with others.
  3. Cooperate: Work with our security team in good faith to resolve the issue, including providing additional information if requested.

Guidelines for Reporting:

When submitting a vulnerability report, please adhere to the following guidelines:

  • Provide detailed information about the vulnerability, including a description of the issue, its potential impact, and steps to reproduce it.
  • Include your contact information so that we can communicate with you regarding the reported vulnerability.
  • Do not engage in any activities that could potentially harm our systems or data while researching or testing for vulnerabilities.
  • Do not disclose the vulnerability to others until we have had an opportunity to address it.

What We Will Do:

Upon receiving a vulnerability report, we will:

  1. Acknowledge Receipt: Acknowledge receipt of your report within 3 business days.
  2. Investigate: Conduct a thorough investigation of the reported vulnerability to verify its validity and assess its impact.
  3. Develop a Fix: Develop and implement a fix for the vulnerability.
  4. Notify You: Once the vulnerability has been addressed, we will notify you and, if appropriate, publicly acknowledge your contribution to our security efforts.
  5. Coordinate Disclosure: Work with you to determine an appropriate timeline for disclosing the vulnerability to the public, taking into account any potential risks or sensitivities.

Scope Limitations

Please note that this policy only applies to security vulnerabilities in systems owned or operated by SWARM. It does not cover third-party systems or services, even if they are integrated with or used by our systems.

We would like to thank the security researchers and members of the community who help us improve the security of our systems through responsible disclosure of vulnerabilities.

This policy will be reviewed annually and updated as necessary to align with emerging threats, technologies, and best practices. Non-compliance with this policy may result in disciplinary action.