Vulnerability disclosure

Context & Objectives

Context

As a Research and Technology Organization (RTO), LIST develops competitive and market-oriented products and service prototypes for public and private stakeholders at the national, European and
international levels in the fields of materials, the environment and informatics.

In the context of its activities, information security is a major concern in terms of confidentiality, integrity and availability. This concerns LIST’s information assets (scientific, technical, administrative and strategic data), as well as those made available by its partners.

In a constantly evolving digital environment, vulnerabilities can exist in our systems, applications or even on our internet site. These vulnerabilities do not necessarily lead to attacks but are open doors that can be exploited by attackers and cause harm to the confidentiality, integrity and availability of LIST information systems.

Since users may discover these vulnerabilities in their normal use of LIST information system assets, this policy has been developed to encourage the responsible disclosure of vulnerabilities in order for them to be dealt with in the most effective way.

Objectives

This policy, recommended by organizations such as NIST, ENISA and CISA defines the rules for reporting vulnerabilities discovered on LIST information systems that could potentially be exploited before they are discovered and exploited by malicious actors.

The present document aims at illustrating what personal data we collect about you, the reason why LIST uses your data and, as the case may be, share your data and the applicable retention periods. Additionally, the notice also provides you with information regarding your rights, how to exercise them and whom you can contact in case of any query.

Reporting Vulnerabilities

Any person identifying a vulnerability on the information systems and services of the organization must report it to our dedicated email address as soon as possible: security@list.lu.

If the vulnerability report contains confidential information, it is preferable to encrypt the communication to guarantee that messages sent remain confidential. Several encryption methods can be used for this.

If GPG/PGP encryption is used to contact security@list.lu, the encryption key is: 3DEE 2C6A FDD7 05EF 7827 EF3E 072C 41C7 9D34 510D

If it is not feasible to encrypt the communication, the detail of the information sent must be limited. In this case, an alternative and secured communication channel may be proposed to send confidential information in a secure way.

When reporting the vulnerability, certain information is necessary in order to identify and deal with it, such as:

• a precise description of the vulnerability;
• the way in which it was discovered;
• the system(s), service(s) and application(s) affected.

Any additional documentation, illustration or proof of concept may also be added to the communication.

Enquiry and resolution

The LIST information security team will acknowledge receipt of the reporting of the vulnerability. Additional secure communications may be sent in this context.

The information security team, assisted by the persons involved with the vulnerability in question, will assess the vulnerability and risks related to it, and will identify the actions necessary to deal with it within a reasonable and acceptable time limit. The information security team will also follow the action plan.

Our institute does not offer monetary rewards or compensation for vulnerability reports.

Non-disclosure

This policy has been created in order to enable the security of the LIST information systems to be guaranteed. For this reason, the persons involved in this procedure may not, in any circumstances, disclose information on the vulnerability to anyone outside the circle of authorized persons.

Contact

For any questions or concerns relating to this policy or the reporting process, please do not hesitate to contact us at security@list.lu.