Purpose and Content

This policy gives security researchers a point of contact to directly submit their research findings if they believe they have found any potential or identified security vulnerabilities within SYC’s systems.

Scope

This Vulnerability Disclosure policy applies to independent security researchers for any internet-facing systems or Software as a Service (SaaS) cloud services used by SYC in the delivery of services.

Policy Statement

SYC processes and stores significant personal and sensitive information about our participants, staff and partners. The security of our systems is a top priority, and we take every care to keep them secure. Despite our efforts, there may still be vulnerabilities.

We are keen to engage with the security researcher community in order to improve our security posture. This policy allows security researchers to share their findings with us.

We will not compensate you for finding potential or confirmed vulnerabilities; however, we will view the reporting as collaboration and credit you as the person who discovered the vulnerability (unless you prefer us not to).

This policy does not authorise individuals or groups to undertake hacking or penetration testing against SYC’s IT systems.

This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service. The following list, which is not exhaustive, contains the types of techniques that are not permitted during research activities:

  • ‍Any activities that violate laws or regulations
  • Clickjacking
  • Social engineering or phishing attacks
  • Accessing or attempting to access accounts or data
  • Trying to or destroying data
  • Data exfiltration, including site replication
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • Physical attacks

In the event that a security vulnerability is not reported in accordance with this policy, we reserve all of our legal rights.

How to Report a Vulnerability

If you think you have found a potential security vulnerability in one of our systems, services or products, please tell us as soon as possible by emailing Privacy@syc.net.au.

Please provide:

  • An Explanation of the potential vulnerability
  • Enough detail so that we can reproduce your steps
  • Your contact details

Researches Credited with Finding Vulnerabilities

NIL