Responsible Disclosure Policy

CENTR recognises the importance of keeping our services, infrastructure and data secure. We take security issues seriously and will respond swiftly to fix them.

How to report a security vulnerability?

If you believe you have discovered a security vulnerability within the CENTR services and infrastructure (including CENTRstats) please:

Contact security@centr.org, providing sufficient information (including the exact page or URL) so we can resolve the vulnerability as soon as possible. If you would like to encrypt your email, you can use our public PGP key.

When reporting a vulnerability, the following CENTR services and parts of infrastructure are in-scope:

  • The centr.org website and infrastructure
  • The stats.centr.org website and infrastructure

Please do not exploit the vulnerability you have discovered or reveal the problem to others. This does not prevent notification of a vulnerability to third parties to whom the vulnerability is directly relevant, for example where the vulnerability being reported is in a software library or framework – but details of the specific vulnerability affecting CENTR must not be referenced in such reports. If you are unsure about the status of a third party who you wish to notify, please email security@centr.org for clarification.

How will CENTR handle your report?

  • We will strive to resolve all problems as quickly as possible.
  • We will try to respond to your report within five business days with our evaluation of the report and an expected resolution date.
  • We will handle your report with strict confidentiality and will not pass on your personal details to third parties without your permission.
  • We will keep you informed of the progress on resolving the problem.
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
  • As a non-profit organisation, we value your contribution to our security greatly. However, we do not issue monetary rewards for reported vulnerabilities. If you send us your contact details, we would be happy to send you a small branded gift as a token of our gratitude.

We reserve the right to change the content of this policy at any time.