Vulnerability Disclosure

This Vulnerability disclosure policy applies to the Spark website located at https://spark.re/ (the “Website”) maintained by Spark RE Technologies Inc. (dba Spark) (“Spark”, “we”, “us” or “our”).

Purpose

This policy provides guidelines for the cybersecurity research community and members of the general public (hereafter referred to as you) on conducting good faith vulnerability discovery activities directed at the Website.

Authorized activity

If you follow the requirements of this policy, we will consider your activities to be authorized under the terms of use.

Overview

Digital services for the public means convenient, faster services, but it can also expose people, businesses and government to cybersecurity risks. Spark has an ethos of working in the open and is willing to hear from the cybersecurity community to build a stronger Website.

Requirements

In order to be considered authorized, you must:

  • Notify us within 72 hours of discovering a vulnerability
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only conduct testing activities to the extent necessary to confirm a vulnerability’s presence.
  • Do not use any exploit to compromise or exfiltrate data; open, take, or delete files; establish command line access and/or persistence; or pivot to other systems.
  • Do not escalate privileges or attempt to move laterally within the network.
  • Do not disrupt access to our services or introduce any malware in the course of testing.
  • Do not publicly disclose reported vulnerabilities without prior coordination with us.
  • Do not submit a high volume of low-quality reports.

Once you establish that a vulnerability exists or encounter sensitive material, such as personal information, you must stop testing and notify us. The process for reporting a vulnerability is described below.

Activities outside the scope of this policy

Any activities not specifically referenced in this policy are considered out of scope and not authorized. If you are unsure about whether a particular activity is authorized, contact us at security@spark.re.

This policy does not authorize, permit, or otherwise allow, either expressly or impliedly, any person to engage in any security research or vulnerability or threat disclosure activity on or affecting our systems that is inconsistent with this policy or law. If you engage in any activities that are inconsistent with this policy or other applicable law, you may be subject to criminal law and/or civil liabilities.

Testing methods

A researcher acting in good faith to discover, test and submit vulnerabilities or indicators of vulnerabilities are authorized provided testing activities are limited exclusively to:

  1. Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
  2. Sharing information with, or receiving information from, us about a vulnerability or an indicator related to a vulnerability.
  • Researchers may not harm any system or data on our system or exploit any potential vulnerabilities beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
  • Researchers must not establish command line access and/or persistence; pivot to other systems; escalate privileges; attempt to move laterally within the network; disrupt access to our services; or introduce any malware in the course of testing.
  • Researchers must avoid intentionally accessing the content of any communications, data, or information transiting or stored on any of our information systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
  • Researchers must not intentionally exfiltrate or copy our data, or open, take, or delete files. Should researchers obtain our data during their research, they must coordinate with us to ensure that data is appropriately destroyed upon confirmation that the vulnerability is remediated.
  • Researchers may not intentionally compromise the privacy or safety of our personnel (e.g. employees or contractors) or any third parties.
  • Researchers may not intentionally compromise the intellectual property or other commercial or financial interests of any of our personnel or entities or any third parties through their research.
  • Researchers may not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, until that vulnerability is remediated and they receive explicit written authorization from us.
  • Researchers may not conduct denial-of-service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
  • Researchers may not conduct physical testing or social engineering, including spear phishing, of our personnel or contractors.
  • Researchers may not intentionally submit a high-volume of low-quality, unsubstantiated, or false-positive reports.

If at any point researchers are uncertain whether to continue testing, researchers must engage with us at security@spark.re before conducting any further testing.

Reporting a vulnerability

If you discover a vulnerability or suspected vulnerability, you must provide a report describing the vulnerability which includes:

  • A description of the vulnerability and the potential impact of the vulnerability;
  • product details for the software or hardware that are potentially impacted;
  • step by step instructions on how to reproduce the issue(s);
  • suggested mitigation or remediation actions, as appropriate; and
  • information on how you may be contacted by us.

Please send your report to security@spark.re.

Notice of collection and consent

By submitting a vulnerability report, you agree to the requirements of this policy and that anything you submit to us may be used by us for the purpose of addressing a vulnerability, a suspected vulnerability, or otherwise for improving our services.

While we do not require that you submit personal information as part of a report, you may elect to provide your personal contact information. You will be deemed to have consented to our use of this information for the purposes of responding to your report, which may involve contacting you. You further consent that we may disclose your personal information to our relevant employees, officials or contractors for the purpose of addressing a vulnerability, a suspected vulnerability or otherwise for improving our services. Any personal information that you submit will be handled in a manner consistent with our privacy policy. If you have any questions about our collection of this information, please contact security@spark.re.

Amendments or termination

We may terminate or update this policy at any time and without notice.