-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

1 - Document Information

1.1 - Date of Last Update

This is version 1.1 and was last updated on 14 Jun 2018.

1.2 - Distribution List for Notifications

Email notification of updates are sent to OutSystems CSIRT. Please send any questions about updates to the OutSystems CSIRT email address: csirt@outsystems.com

1.3 - Document Location

The current version of this document is on the Outsystems Trust page. Make sure that you are using the latest version of this document.

1.4 - Authentication of This Document

A digitally signed version is available at the end of this document. The signature was produced using the OutSystems CSIRT PGP key. 
Our public key can be downloaded from section 2.7.

2 - Contact information

2.1 - Name of the Team

Full name: OutSystems Computer Security Incident Response Team 
Short name: OutSystems CSIRT.

2.2 - Address

Rua Central Park 2, 2A 
2795-242 Linda-a-Velha 
Portugal

2.3 - Time Zone

Western European Time Zone (UTC+00:00)

2.4 - Telephone Number

Regular and emergency contact: +351 800 780 555

2.5 - Other Telecommunication

Not applicable

2.6 - Email Address

Send incident reports that relate to OutSystems CSIRT to csirt@outsystems.com 
Non-incident related mail should be addressed to support@outsystems.com

2.7 - Public Keys and Other Encryption Information

Encrypt any sensitive email with the OutSystems PGP Key and send to csirt@outsystems.com. 
Key size: 4096 
Key validity: 01 Nov 2019 
Key fingerprint: 1C25 DBBB 1BF8 ECC3 CD75 D8CA 1BAE A457 224A 6C74 
Link to Public Key

2.8 - Team Members

No public information is provided about OutSystems CSIRT members.

2.9 - Other Information:

More information about OutSystems CSIRT is available on the OutSystems Trust page.

2.10 - Points of Customer Contact

The preferred method for contacting OutSystems CSIRT is email.

For abuse or security issues, use csirt@outsystems.com.

For general customer inquiries, use the OutSystems Support Portal (registration is required, but it’s free).

3 - Charter

3.1 - Mission Statement

The OutSystems Computer Security Incident Response Team (OutSystems CSIRT) is the OutSystems cyber investigation and forensics team. It provides security monitoring services to protect OutSystems from cyber attacks and the loss of its intellectual assets.

The primary mission of OutSystems CSIRT is to help ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents, and to contribute to the prevention of such incidents by engaging in proactive threat assessment, mitigation planning, incident trend analysis, security architecture review, and vulnerability management.

3.2 - Constituency

OutSystems CSIRT is responsible for handling security incidents that relate to company employees, company assets, and all OutSystems domains, namely: outsystems.com, outsystemsenterprise.com, outsyste.ms, outsystemscloud.com and outsystems.net.

3.3 - Sponsorship and Affiliation

OutSystems CSIRT consists of a group of engineers and analysts that serves all of OutSystems and acts under the authority of the Information Security Office and its Chief Information Security Officer to protect OutSystems information assets.

OutSystems CSIRT is affiliated with Cloud Security Alliance.

3.4 - Authority

OutSystems CSIRT coordinates, investigates, and remediates security incidents at the direction of the OutSystems Information Security Office and its Chief Information Security Officer.

4 - Policies

4.1 - Types of Incident and Levels of Support

The level of support provided by the OutSystems CSIRT Team will vary depending on the type and severity of the incident or issue, the type of constituent, the affected scope, and OutSystems CSIRT resources. Resources will be assigned according to the following priorities:

Threats to the physical safety of human beings

Denial of service attacks on OutSystems client infrastructures, support systems, or public systems

Root or system-level attacks on OutSystems client infrastructures, support systems or public systems

Compromise of restricted confidential service accounts or software installations on any of OutSystems client infrastructures or OutSystems support systems

Any threats, attacks or compromises at other sites that originate from the OutSystems network

Large-scale attacks of any kind

Compromise of individual user accounts

Threats, harassment, and other criminal offenses involving individual user accounts

Compromise of end-user devices

Forgery, misrepresentation, and other security-related violations of local rules and regulations

Denial of service on individual user accounts

If required, OutSystems CSIRT will also provide support in the form of analysis, documentation and intervention (if required) of any vulnerability found or reported that affects OutSystems. Incident types not specified here will be prioritized according to their apparent severity, impact, and extent.

4.2 - Cooperation, Interaction and Disclosure of Information

All received information is handled as confidential, regardless of its priority.

When reporting incidents that have sensitive information, be explicit (for example, by using the label SENSITIVE) and, if possible, encrypt it using the OutSystems CSIRT PGP Key, available from the link in section 2.7 of this document.

Although there are legal and ethical restrictions on the flow of information from OutSystems CSIRT, some of which are specified in OutSystems policies, all reports will be respected; OutSystems CSIRT acknowledges its indebtedness to and declares its intention to contribute to the spirit of cooperation that created the Internet. Therefore, though appropriate measures will be taken to protect the identity of members of our constituency and members of involved third parties where necessary, OutSystems CSIRT will otherwise share information freely when this will help others resolve or prevent security incidents.

Information will be released based on the following considerations:

Private user information is considered confidential Information and, as such, will not be released unless disguised or otherwise hidden.

Intruder information is similar to private user information, and the same rules apply.

Information that concerns third-party systems, sites, or other technological assets will not be released without the permission of the affected third party.

Technical information about vulnerabilities and attacks that affect third-party vendors, including fixes and workarounds, will be released freely after contacting the affected third parties and after allowing sufficient time for the implementation of patches or fixes.

Vulnerability information about OutSystems is considered technical information about vulnerabilities or attacks. This information will be divulged freely after proper mitigation, patches, and/or hotfixes are available for deployment.

Information considered embarrassing (e.g. statements that an incident has occurred) to OutSystems, OutSystems partners or any third party, will not be released without the permission of the affected parties.

OutSystems CSIRT will only share the necessary information with involved parties or publicly as required to resolve or prevent security incidents.

4.3 - Communication and Authentication

In view of the types of information that the OutSystems CSIRT will likely be dealing with, telephones will be considered sufficiently secure to be used, even when unencrypted. Unencrypted email will not be considered secure, but will be sufficient for the transmission of low-sensitivity data. Sensitive data sent by email must be encrypted by the OutSystems CSIRT PGP key.

Online ticketing tools will be considered sufficient for transmitting sensitive information if proper user access segregation is implemented.

Network file transfers will be considered to be similar to email: sensitive data must be encrypted for transmission.

When establishing trust is necessary, the identity of the other party will be ascertained to a reasonable degree of trust. Appropriate methods will be used, such as a search of FIRST members, the use of WHOIS, and other Internet registration information, along with telephone call-back or email mail-back to ensure that the party is not an impostor. Incoming email with data that must be trusted will be checked with the originator or by means of digital signatures.

5 - Services

5.1 - Incident Response

OutSystems CSIRT will assist with the technical and organizational aspects of security incidents. In particular, it will provide assistance or advice for the following aspects of incident management.

5.1.1 - Incident Triage

Investigating if an incident is in fact a security incident

Determining the extent and criticality of a security incident

5.1.2 - Incident Coordination

Determining initial cause of the incident

Facilitating contact with related third parties

Facilitating contact with OutSystems Security, law enforcement officials or both if necessary

Reporting to other CSIRTs

Creating announcements to users and customers when applicable

5.1.3 - Incident Resolution

Following the process of removing or mitigating a vulnerability and checking its effectiveness

Collecting and storing evidence when criminal prosecution (with supervision from law enforcement agencies) or disciplinary action is being contemplated

5.2 - Proactive Activities

OutSystems CSIRT maintains the following services to the extent made possible by its resources:

List of departmental security contacts (administrative and technical). These will be available for OutSystems employees and partners.

Repository of security tools and corresponding documentation.

Clipping service relating to security vulnerabilities and cyber attacks. This information will be made available to OutSystems employees and partners via approved communication channels.

Security level assignments including producing new security tools, performing internal audits (penetration tests, vulnerability scans, etc.), reviewing security architectures and network designs, etc.

Central logging service and analysis for OutSystems clients.

Documenting security incidents, analysis and resolutions.

6 - Incident Reporting

Click link to report the specific type of incident:

Contents prohibited by law

Copyrighted content

SPAM

DOS/DDoS

Sabotage/Vandalism

Phishing

Malware

Sniffing

Illegitimate use of third-party name

Misuse or unauthorized use of resources

Access to undue information

Exfiltration of data

Improper access to data or systems

Unauthorized modification of information

Login attempt

Vulnerability scan

7 - Disclaimer

Although every precaution will be taken in the preparation of information, modifications, and alerts, OutSystems CSIRT assumes no responsibility for errors, omissions, or damages resulting from the use of the information contained within.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEHCXbuxv47MPNddjKG66kVyJKbHQFAlsictwACgkQG66kVyJK
bHSSkA//RdccGOhsFrqmGxgtApp6nRbmLCPcsSygCka9pQ9uQ8MZ4l0NuiFnyCTC
6jDwqzMY5nCwjjKSICyMFP6IElTmfcD83U5wBUx3+8d3CB73QWDYXLP1hE6RFgdz
RtpRHfXrREay/uAFtQWzATZtE5jvUpOgG40Rd3gf11JIFEbpNi4tnyZgS4XA0sY8
a1uP5wfsOePvD+T6l/HUfa2h90qgY+sdeulUBLpHTfngYHCB4yZOpRiBswtUWTbD
FURL5pMKKZFhRdeQeUCT1AG3adH1oXNVK4i+Mj0BznMhV8Ny6ihb7V3zddYgNF9f
wkGJYRof3kOK3D714107NLb/Osh1v33Zi1K68c9DWLdw5y6FWMlKppQJwg1806Rm
SI6mJq3HmciEVPRYMCgb5wqCRLfQyBrCdnx9C3W7driqY2hsBVlpsfFJcz5d7TMF
v6iCUfeobc78sK2yVY2jGjmcUtPcbiubcuPH2/BnUMzqf/feH95Tg+fYjlFqIm2B
b3A8JsOHiZanSOR9SaNmsNJxgSKfdZ4x+RYvA5lajiAMKTp0Rmcn+R7nAYVjv+eP
4cB71GtLBaQTUXywWAPwRW5G79gkD3e5Cw3xGtyucGLBERBt/6tj9v96vYN6tBeT
ESvqt03OlgMqw/BYveMckwkhB5FGHYlrTWRXetDqYB+qvfvZDiU=
=UA5A
-----END PGP SIGNATURE-----