Privacy Policy
Quality Policy
Health and Safety Policy
Keeping Children and Young People Safe Policy
Feedback and Complaints Policy
SYC Gender Pay Gap Employer Statement
Public Computer Terms of Use

Additional policies

Vulnerability Disclosure Policy

This policy gives security researchers a point of contact to directly submit their research findings if they believe they have found any potential or identified security vulnerabilities within SYC’s systems.

Purpose and Content

This policy gives security researchers a point of contact to directly submit their research findings if they believe they have found any potential or identified security vulnerabilities within SYC’s systems.

Scope

This Vulnerability Disclosure policy applies to independent security researchers for any internet-facing systems or Software as a Service (SaaS) cloud services used by SYC in the delivery of services.

Policy Statement

SYC processes and stores significant personal and sensitive information about our participants, staff and partners. The security of our systems is a top priority, and we take every care to keep them secure. Despite our efforts, there may still be vulnerabilities.

We are keen to engage with the security researcher community in order to improve our security posture. This policy allows security researchers to share their findings with us.

We will not compensate you for finding potential or confirmed vulnerabilities; however, we will view the reporting as collaboration and credit you as the person who discovered the vulnerability (unless you prefer us not to).

This policy does not authorise individuals or groups to undertake hacking or penetration testing against SYC’s IT systems.

This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service. The following list, which is not exhaustive, contains the types of techniques that are not permitted during research activities:

- Any activities that violate laws or regulations

- Clickjacking

- Social engineering or phishing attacks

- Accessing or attempting to access accounts or data

- Trying to or destroying data

- Data exfiltration, including site replication

- Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks

- Physical attacks

In the event that a security vulnerability is not reported in accordance with this policy, we reserve all of our legal rights.

How to Report a Vulnerability

If you think you have found a potential security vulnerability in one of our systems, services or products, please tell us as soon as possible by emailing [email protected].

Please provide:

- An Explanation of the potential vulnerability

- Enough detail so that we can reproduce your steps

- Your contact details

Public Acknowledgement

We greatly appreciate your efforts in identifying and addressing vulnerabilities. We may follow up with you to confirm that the solution has been effective. While we do not offer a monetary reward for bug hunting and error reporting, we are eager to recognise your valuable contribution on our website. Thank you for your sincere and positive efforts in keeping our platforms secure!

Contributors

- Keyur Maheta

Whistleblower Policy

SYC is committed to maintaining a high standard of ethical behaviour and good corporate governance. As such, we have partnered with Emerviro Workplace Complaints which is an external independent third party that provides a Whistleblower service. Whistleblowing is the deliberate, voluntary disclosure of individual or organisational malpractice by a person who has or had privileged access to data, events or information about an actual, suspected or anticipated wrongdoing within or by an organisation and that is within its ability to control. This service provides a safe, secure and compliant reporting process to help identify and appropriately respond to whistleblower disclosures.

For further information, please refer to our Whistleblowing Policy which outlines what constitutes a whistle-blower complaint, our process and the link to the Emverio Workplace’s complaint form.