Security Policy
This policy regulates each and every one of the violations or vulnerabilities related to the security of the information that occurs within the operations of the subsidiaries of Rocket Launch and other controlled entities.
This policy establishes the processes for informing Rocket Launch staff of any data breaches, suspected data breaches, or vulnerabilities found in Rocket Launch systems. A data breach involves loss, unauthorized access, or disclosure unauthorized personal information. A vulnerability is any defect that can be found in a system that could cause a data breach or an interruption of the service provided.
Compliance with this Procedure and Response Plan will ensure that Rocket Launch can contain, assess and respond to data breaches or vulnerabilities in an expeditious manner and mitigate the potential damage they may cause.
Maintaining the confidentiality, integrity and availability of our information and our systems is extremely important to Rocket Launch. We appreciate the work done by security researchers who help us improve our security measures. This is why we want to have a clear process for reporting vulnerabilities or security breaches. All vulnerabilities and / or security breaches should be reported to: dev@rocketlaunch.dev.
Rocket Launch invites security researchers to report any vulnerabilities or security breaches they think they have found. All reports submitted in accordance with this policy will be investigated and any issues that may arise will be resolved as soon as possible. If the investigator makes a good faith effort to comply with this policy during their security investigation, we will consider their investigation to be authoritative, we will work with the investigator to understand and resolve the issue promptly, and we will not recommend or initiate legal action related to their investigation.
The following lists describe the actions that investigators should, can, and should not take in their evaluation methods:
Security researchers must:
• stop testing and notify us immediately when a vulnerability is discovered.
• stop testing and notify us immediately upon discovery of exposed information that is private in nature.
• purge any stored private Rocket Launch information when reporting a vulnerability.
•
Security researchers can:
• view or store Rocket Launch private information only to the extent necessary to document the presence of a potential vulnerability.
Security researchers must not:
• perform tests on systems that are not in the systems list below.
• disclose information about vulnerabilities, except as set forth in the "Report a Vulnerability" and "Disclosure" sections below.
• participate in conducting physical tests of facilities or resources.
• participate in social engineering practices.
• send unsolicited emails to Rocket Launch users, including "phishing" messages.
• Execute or attempt to execute "Denial of Service" (DoS) or "Resource Depletion" attacks.
• introduce malicious software.
• test in a way that may degrade the performance of Rocket Launch systems; or intentionally damage, disrupt, or disable Rocket Launch systems.
• delete, alter, share, retain or destroy Rocket Launch information, or make it inaccessible.
• use an exploit to extract information, establish command line access, or establish a persistent presence on Rocket Launch systems.
•
We have determined that the following systems can be investigated:
• www.rocketlaunch.dev
Researchers can submit reports anonymously, although any possible contact method is welcome to clarify any information about the reported vulnerability or other technical exchange.
When reporting a vulnerability or security breach, including a detailed technical description of the steps to reproduce it, including the tools, images, and any other documentation that may be attached to the reports is ideal.
Information to be provided (if known) at this point includes:
1. When the breach occurred or the vulnerability was exploited (date and time).
2. Description of the breach / vulnerability (the type of personal information involved).
3. Cause of the violation, if known; otherwise, how was it discovered?
4. What systems are affected, if any?
5. What project / area / task is involved?
6. Whether the violation or suspected violation could attract the attention of the media or interested parties.