We aim to ensure a consistent and secure manner for you to communicate suspected Verify Ontario app vulnerabilities. Find information on how to report a vulnerability.
Who we are
When we say “we”, “us” or “our”, we mean Her Majesty the Queen in Right of Ontario (or more commonly known as the Government of Ontario).
This policy provides guidelines for the cybersecurity research community and members of the general public (hereafter referred to as you) on conducting good faith vulnerability discovery activities directed at the Verify App.
Digital services for the public means convenient, faster services, but it can also expose people, businesses and government to cybersecurity risks. ODS has an ethos of working in the open and is willing to hear from the cybersecurity community to build a stronger Verify App.
In order to be considered authorized, you must:
- Notify us within 72 hours of discovering a vulnerability
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only conduct testing activities to the extent necessary to confirm a vulnerability’s presence.
- Do not use any exploit to compromise or exfiltrate data; open, take, or delete files; establish command line access and/or persistence; or pivot to other systems.
- Do not escalate privileges or attempt to move laterally within the network.
- Do not disrupt access to our services or introduce any malware in the course of testing.
- Do not publicly disclose reported vulnerabilities without prior coordination with us.
- Do not submit a high volume of low-quality reports.
Once you establish that a vulnerability exists or encounter sensitive material, such as personal information or personal health information, you must stop testing and notify us. The process for reporting a vulnerability is described below.
Activities outside the scope of this policy
Any activities not specifically referenced in this policy are considered out of scope and not authorized. If you are unsure about whether a particular activity is authorized, contact us at email@example.com.
This policy does not authorize, permit, or otherwise allow, either expressly or impliedly, any person to engage in any security research or vulnerability or threat disclosure activity on or affecting our systems that is inconsistent with this policy or law. If you engage in any activities that are inconsistent with this policy or other applicable law, you may be subject to criminal law and/or civil liabilities.
A researcher acting in good faith to discover, test and submit vulnerabilities or indicators of vulnerabilities are authorized provided testing activities are limited exclusively to:
- Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
- Sharing information with, or receiving information from, us about a vulnerability or an indicator related to a vulnerability.
- Researchers may not harm any system or data on our system or exploit any potential vulnerabilities beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- Researchers must not establish command line access and/or persistence; pivot to other systems; escalate privileges; attempt to move laterally within the network; disrupt access to our services; or introduce any malware in the course of testing.
- Researchers must avoid intentionally accessing the content of any communications, data, or information transiting or stored on any of our information systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- Researchers must not intentionally exfiltrate or copy our data, or open, take, or delete files. Should researchers obtain our data during their research, they must coordinate with us to ensure that data is appropriately destroyed upon confirmation that the vulnerability is remediated.
- Researchers may not intentionally compromise the privacy or safety of our personnel (e.g. employees or contractors) or any third parties.
- Researchers may not intentionally compromise the intellectual property or other commercial or financial interests of any of our personnel or entities or any third parties through their research.
- Researchers may not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, until that vulnerability is remediated and they receive explicit written authorization from us.
- Researchers may not conduct denial-of-service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
- Researchers may not conduct physical testing or social engineering, including spear phishing, of our personnel or contractors.
- Researchers may not intentionally submit a high-volume of low-quality, unsubstantiated, or false-positive reports.
If at any point researchers are uncertain whether to continue testing, researchers must engage with us at firstname.lastname@example.org before conducting any further testing.
Reporting a vulnerability
If you discover a vulnerability or suspected vulnerability, you must provide a report describing the vulnerability which includes:
- A description of the vulnerability and the potential impact of the vulnerability;
- product details for the software or hardware that are potentially impacted;
- step by step instructions on how to reproduce the issue(s);
- suggested mitigation or remediation actions, as appropriate; and
- information on how you may be contacted by us.
Please send your report to email@example.com.
Notice of collection and consent
By submitting a vulnerability report, you agree to the requirements of this policy and that anything you submit to us may be used by us for the purpose of addressing a vulnerability, a suspected vulnerability, or otherwise for improving our services.
Amendments or termination
We may terminate or update this policy at any time and without notice.