ChiudiChiudi Questo sito usa cookies di profilazione, propri e di terzi, per adeguare la pubblicità alle tue preferenze.
Clicca qui per maggiori informazioni o per conoscere come negare il consenso. Se chiudi questo banner o accedi ad altri elementi della pagina acconsenti all'uso dei cookies.
  • search in
    #All #News #Press Release
Security
Responsible Disclosure
Safety first

Fastweb considers data protection and the protection of its customers a priority and therefore would ask anyone who has discovered a vulnerability in one of its systems, services or products to send an alert.

Mission
Our commitment

Fastweb considers data protection and the protection of its customers a priority and therefore adopts a safe development process for its systems, services and products at every phase, from design to release.

Despite this, occasionally, some vulnerabilities are not detected and / or occur once the product, application or service is released to the public. That is why, to further improve its levels of security and reliability, Fastweb has published this Responsible Disclosure procedure. Its aim is to involve researchers and more generally, cyber security enthusiasts to help the company to make its systems even safer and more reliable and to guarantee the safety and privacy of its customers, responsibly managing security vulnerabilities.

Fastweb therefore would ask anyone who has discovered a vulnerability in one of its systems, services or products to send a report following the Responsible Disclosure policy below:

Please send the report to security.alert@fastweb.it, including the following information:

The type of vulnerability detected and potential impact; The portal, application, service or device impacted by the vulnerability; A detailed description of the problem (in order to be able to replicate it); A zip file containing all the material that can help to replicate the problem. The maximum file size cannot exceed 10MB; The identification data (name, surname, any organization you work for, any links to sites or social networks) for publication in the Hall of Fame (if explicit authorisation is given); Consent or non-consent to pass your data to the technology manufacturer involved in the report, for possible direct contact; Whether or not you are willing to be included in the Fastweb's Responsible Disclosure Hall of Fame section;

The email can be encrypted using the following : PGP key:
PGP key: 0xD794D11B - Fingerprint: 2657C6774227AB32A78B74F330D5E865D794D11B

Keep discovered vulnerabilities strictly confidential and secret, undertaking not to disclose them or make them available to third parties for a period of time to be agreed with Fastweb to allow the company to identify and apply the appropriate countermeasures.
Work with the Fastweb Security team and work groups involved.
Make every effort to avoid breaches of privacy, deterioration or suspension of services and destruction of data. In this regard, it is expressly forbidden to:
Access, modify or download data from an account for which you do not have rights; Implement actions similar to "Denial of Service" attacks or capable of damaging the functioning of any Fastweb asset or resource; Upload, link, run or send malicious code using Fastweb systems; Carry out tests the effect of which is to send unwanted messages, spam or other forms of unauthorised messages;

Once the report is received, Fastweb undertakes:

Not to take legal action against anyone who discovers and reports security breaches in compliance with this Responsible Disclosure policy. Any request for compensation (in cash or otherwise) for identified or suspected vulnerabilities will be deemed not to comply with this Responsible Disclosure policy.

Send a confirmation email within 20 days, confirming that the report has been received and providing information regarding the relevance of the report in relation to the Responsible Disclosure process and on the outcome of the preliminary analysis carried out by Fastweb.

Provide a time frame for resolving the vulnerability and agree on the date by which the name will be published in the "Hall of Fame" section. Fastweb reserves the right to extend the period of confidentiality and therefore the date of publication, giving appropriate notice to the person who sent the report should additional time be required to correct the vulnerability.

Manage the reporting in an appropriate manner to comply with the time frames indicated and, if a vulnerability has been appropriately reported and has not yet been resolved, to publicly thank the author in the "Hall of Fame" section, if permission has been given.

Reports relating to the following types of cases are not included under this Responsible Disclosure procedure:

Results of automatic vulnerability assessment / penetration testing / information gathering tools (e.g. SQLmap, Owasp ZAP, nmap, etc.); Phishing and/or spam issues (to be reported to the abuse@fastweb.it).