APNIC launches vulnerability reporting program

By on 3 Aug 2020

Categories: Tech matters Community


Blog home

An image of a bug on a keyboard

Today APNIC is announcing a formal Vulnerability Reporting Program that aims to provide guidance to security researchers who find bugs or weaknesses in any of APNIC’s services.

While APNIC has always welcomed reports of potential security issues, the introduction of this new program lays out a direct email address for the APNIC Computer Security Incident Response Team (CSIRT), what information we would like to see in a detailed report, and guidance on what is ‘In Scope’ and ‘Out of Scope’ for testing.

APNIC has also taken a further step by including a ‘Safe Harbour’ statement, which gives security researchers additional assurance that any security testing performed within the program’s guidance will be seen as authorized and lawful. This is a concern for many researchers, as there have been cases where companies have filed lawsuits against security researchers who discovered vulnerabilities and were attempting to report them in good faith.

This program is one aspect of APNIC’s ongoing proactive security program and will help improve the security of APNIC products and services.

An image showing the vulnerability lifecycle, including the reporting program
How the vulnerability reporting program is used in APNIC’s ongoing security processes.

Additionally, APNIC has implemented a proposed Request for Comment (RFC) for describing our Vulnerability Reporting Program through the use of a security.txt file. Read more about the security.txt format and the proposed RFC. You can also access APNIC’s security.txt

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *