Contact: mailto:security@isc2.org
Expires: 2026-12-31T23:59:59Z
Preferred-Languages: en

# Security Researcher Policy (Direct Reporting to ISC2)
#
# Safe Harbor
# If you conduct your security research and vulnerability disclosure activities in accordance with this policy and applicable law, ISC2 will:
# • Not initiate or recommend any law enforcement or civil lawsuits related to such activities; and
# • If a third party brings legal action, take steps to make known your activities were conducted pursuant to and in compliance with this policy.
# This safe harbor does not apply to activities inconsistent with this policy or the law; third parties may independently determine whether to pursue legal action or remedies.
#
# Authorized Testing Scope (when reporting directly to ISC2)
# Activities are limited exclusively to:
# • Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
# • Sharing with, or receiving from, ISC2 information about a vulnerability or an indicator related to a vulnerability.
#
# Researcher Conduct Requirements
# • Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
# • Avoid intentionally accessing communications, data, or information transiting or stored on ISC2 systems, except as necessary to prove the vulnerability exists.
# • Do not exfiltrate any data under any circumstances.
# • Do not intentionally compromise the privacy or safety of ISC2 personnel or any third parties.
# • Do not intentionally compromise intellectual property or other commercial or financial interests of ISC2 or any third parties.
# • Do not publicly disclose vulnerability details/indicators or content made available by a vulnerability, except upon receiving explicit written authorization from ISC2.
# • Do not conduct denial of service testing.
# • Do not conduct social engineering, including spear phishing, of ISC2 personnel or contractors.
# • Do not submit a high-volume of low-quality reports.
# • If at any point you are uncertain whether to continue testing, please engage with our team.
#
# Excluded Submission Types (generally out of scope)
# The following submission types are generally excluded. If you believe an item below has material security impact, include a clear demonstration of impact (e.g., a chained attack) in your report.
# • Findings from physical testing such as office access (e.g., open doors, tailgating).
# • Findings derived primarily from social engineering (e.g., phishing, vishing).
# • Findings from applications or systems not listed in the "Targets" section.
# • Functional, UI and UX bugs and spelling mistakes.
# • Network-level Denial of Service (DoS/DDoS) vulnerabilities.
# • Descriptive error messages (e.g., stack traces, application or server errors).
# • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
# • Banner disclosure on common/public services.
# • Disclosure of known public files or directories (e.g., robots.txt).
# • Clickjacking and issues only exploitable through clickjacking.
# • CSRF on forms that are available to anonymous users (e.g., the contact form).
# • Logout Cross-Site Request Forgery (logout CSRF).
# • Presence of application or web browser "autocomplete" or "save password" functionality.
# • Missing Secure and HttpOnly cookie flags.
# • Lack of a "security speedbump" when leaving the site.
# • Weak CAPTCHA / CAPTCHA bypass.
# • Username enumeration via login or forgot password error message.
# • Login or forgot password brute force and account lockout not enforced.
# • OPTIONS / TRACE HTTP method enabled.
# • SSL/TLS findings (e.g., BEAST, BREACH, renegotiation; forward secrecy not enabled; insecure cipher suites).
# • Missing X-Content-Type-Options (anti-MIME sniffing) and other HTTP security headers.