-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 1 - Document Information 1.1 - Date of Last Update This is version 1.1 and was last updated on 14 Jun 2018. 1.2 - Distribution List for Notifications Email notification of updates are sent to OutSystems CSIRT. Please send any questions about updates to the OutSystems CSIRT email address: csirt@outsystems.com 1.3 - Document Location The current version of this document is on the Outsystems Trust page. Make sure that you are using the latest version of this document. 1.4 - Authentication of This Document A digitally signed version is available at the end of this document. The signature was produced using the OutSystems CSIRT PGP key. Our public key can be downloaded from section 2.7. 2 - Contact information 2.1 - Name of the Team Full name: OutSystems Computer Security Incident Response Team Short name: OutSystems CSIRT. 2.2 - Address Rua Central Park 2, 2A 2795-242 Linda-a-Velha Portugal 2.3 - Time Zone Western European Time Zone (UTC+00:00) 2.4 - Telephone Number Regular and emergency contact: +351 308 808 222, +351 800 780 555 2.5 - Other Telecommunication Not applicable 2.6 - Email Address Send incident reports that relate to OutSystems CSIRT to csirt@outsystems.com Non-incident related mail should be addressed to support@outsystems.com 2.7 - Public Keys and Other Encryption Information Encrypt any sensitive email with the OutSystems PGP Key and send to csirt@outsystems.com. Key size: 4096 Key validity: 01 Nov 2019 Key fingerprint: 1C25 DBBB 1BF8 ECC3 CD75 D8CA 1BAE A457 224A 6C74 Link to Public Key 2.8 - Team Members No public information is provided about OutSystems CSIRT members. 2.9 - Other Information: More information about OutSystems CSIRT is available on the OutSystems Trust page. 2.10 - Points of Customer Contact The preferred method for contacting OutSystems CSIRT is email. For abuse or security issues, use csirt@outsystems.com. For general customer inquiries, use the OutSystems Support Portal (registration is required, but it’s free). 3 - Charter 3.1 - Mission Statement The OutSystems Computer Security Incident Response Team (OutSystems CSIRT) is the OutSystems cyber investigation and forensics team. It provides security monitoring services to protect OutSystems from cyber attacks and the loss of its intellectual assets. The primary mission of OutSystems CSIRT is to help ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents, and to contribute to the prevention of such incidents by engaging in proactive threat assessment, mitigation planning, incident trend analysis, security architecture review, and vulnerability management. 3.2 - Constituency OutSystems CSIRT is responsible for handling security incidents that relate to company employees, company assets, and all OutSystems domains, namely: outsystems.com, outsystemsenterprise.com, outsyste.ms, outsystemscloud.com and outsystems.net. 3.3 - Sponsorship and Affiliation OutSystems CSIRT consists of a group of engineers and analysts that serves all of OutSystems and acts under the authority of the Information Security Office and its Chief Information Security Officer to protect OutSystems information assets. OutSystems CSIRT is affiliated with Cloud Security Alliance. 3.4 - Authority OutSystems CSIRT coordinates, investigates, and remediates security incidents at the direction of the OutSystems Information Security Office and its Chief Information Security Officer. 4 - Policies 4.1 - Types of Incident and Levels of Support The level of support provided by the OutSystems CSIRT Team will vary depending on the type and severity of the incident or issue, the type of constituent, the affected scope, and OutSystems CSIRT resources. Resources will be assigned according to the following priorities: Threats to the physical safety of human beings Denial of service attacks on OutSystems client infrastructures, support systems, or public systems Root or system-level attacks on OutSystems client infrastructures, support systems or public systems Compromise of restricted confidential service accounts or software installations on any of OutSystems client infrastructures or OutSystems support systems Any threats, attacks or compromises at other sites that originate from the OutSystems network Large-scale attacks of any kind Compromise of individual user accounts Threats, harassment, and other criminal offenses involving individual user accounts Compromise of end-user devices Forgery, misrepresentation, and other security-related violations of local rules and regulations Denial of service on individual user accounts If required, OutSystems CSIRT will also provide support in the form of analysis, documentation and intervention (if required) of any vulnerability found or reported that affects OutSystems. Incident types not specified here will be prioritized according to their apparent severity, impact, and extent. 4.2 - Cooperation, Interaction and Disclosure of Information All received information is handled as confidential, regardless of its priority. When reporting incidents that have sensitive information, be explicit (for example, by using the label SENSITIVE) and, if possible, encrypt it using the OutSystems CSIRT PGP Key, available from the link in section 2.7 of this document. Although there are legal and ethical restrictions on the flow of information from OutSystems CSIRT, some of which are specified in OutSystems policies, all reports will be respected; OutSystems CSIRT acknowledges its indebtedness to and declares its intention to contribute to the spirit of cooperation that created the Internet. Therefore, though appropriate measures will be taken to protect the identity of members of our constituency and members of involved third parties where necessary, OutSystems CSIRT will otherwise share information freely when this will help others resolve or prevent security incidents. Information will be released based on the following considerations: Private user information is considered confidential Information and, as such, will not be released unless disguised or otherwise hidden. Intruder information is similar to private user information, and the same rules apply. Information that concerns third-party systems, sites, or other technological assets will not be released without the permission of the affected third party. Technical information about vulnerabilities and attacks that affect third-party vendors, including fixes and workarounds, will be released freely after contacting the affected third parties and after allowing sufficient time for the implementation of patches or fixes. Vulnerability information about OutSystems is considered technical information about vulnerabilities or attacks. This information will be divulged freely after proper mitigation, patches, and/or hotfixes are available for deployment. Information considered embarrassing (e.g. statements that an incident has occurred) to OutSystems, OutSystems partners or any third party, will not be released without the permission of the affected parties. OutSystems CSIRT will only share the necessary information with involved parties or publicly as required to resolve or prevent security incidents. 4.3 - Communication and Authentication In view of the types of information that the OutSystems CSIRT will likely be dealing with, telephones will be considered sufficiently secure to be used, even when unencrypted. Unencrypted email will not be considered secure, but will be sufficient for the transmission of low-sensitivity data. Sensitive data sent by email must be encrypted by the OutSystems CSIRT PGP key. Online ticketing tools will be considered sufficient for transmitting sensitive information if proper user access segregation is implemented. Network file transfers will be considered to be similar to email: sensitive data must be encrypted for transmission. When establishing trust is necessary, the identity of the other party will be ascertained to a reasonable degree of trust. Appropriate methods will be used, such as a search of FIRST members, the use of WHOIS, and other Internet registration information, along with telephone call-back or email mail-back to ensure that the party is not an impostor. Incoming email with data that must be trusted will be checked with the originator or by means of digital signatures. 5 - Services 5.1 - Incident Response OutSystems CSIRT will assist with the technical and organizational aspects of security incidents. In particular, it will provide assistance or advice for the following aspects of incident management. 5.1.1 - Incident Triage Investigating if an incident is in fact a security incident Determining the extent and criticality of a security incident 5.1.2 - Incident Coordination Determining initial cause of the incident Facilitating contact with related third parties Facilitating contact with OutSystems Security, law enforcement officials or both if necessary Reporting to other CSIRTs Creating announcements to users and customers when applicable 5.1.3 - Incident Resolution Following the process of removing or mitigating a vulnerability and checking its effectiveness Collecting and storing evidence when criminal prosecution (with supervision from law enforcement agencies) or disciplinary action is being contemplated 5.2 - Proactive Activities OutSystems CSIRT maintains the following services to the extent made possible by its resources: List of departmental security contacts (administrative and technical). These will be available for OutSystems employees and partners. Repository of security tools and corresponding documentation. Clipping service relating to security vulnerabilities and cyber attacks. This information will be made available to OutSystems employees and partners via approved communication channels. Security level assignments including producing new security tools, performing internal audits (penetration tests, vulnerability scans, etc.), reviewing security architectures and network designs, etc. Central logging service and analysis for OutSystems clients. Documenting security incidents, analysis and resolutions. 6 - Incident Reporting Click link to report the specific type of incident: Contents prohibited by law Copyrighted content SPAM DOS/DDoS Sabotage/Vandalism Phishing Malware Sniffing Illegitimate use of third-party name Misuse or unauthorized use of resources Access to undue information Exfiltration of data Improper access to data or systems Unauthorized modification of information Login attempt Vulnerability scan 7 - Disclaimer Although every precaution will be taken in the preparation of information, modifications, and alerts, OutSystems CSIRT assumes no responsibility for errors, omissions, or damages resulting from the use of the information contained within. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEHCXbuxv47MPNddjKG66kVyJKbHQFAl7D0ioACgkQG66kVyJK bHQQJg/+PDZEOTt3aQ5M6rE3YzCIiK7MhfcX9T0vWQP5i/P+jl2bSY88piVQY10O nrogOHyjk8KrvsqSqHcI4YgnXzZtgU5P24vvunvcgaXHhTwv4kWy3emBe9el7rUp ICLdSCKwP88haUl/R7jkEb7wvGQBaM34rFea3vFRm/DiyzYW16CsqXAuZ/qcV3ZG q4wg0HTryxGsH1IGd8Ou93Cw7L9TPEf2B1NW7llIHQ7KkMgcSNBdDR9eyzzSbrhs KnZHvJdu+zJMH/aVBV43KsrAY5x+gmEZ1Ka3WnIKhhyL1hHJzC5I5a3YHXw0JA++ 55xbmlfOIb+jAP5YUvw8o7HwTdEivRbAjygXzcZB+ebnKm4RBXxSoqjLToG9bMS5 XjRTTuiOOocBS85IaoSnveoqJvtxyFsbRAL/llbrAuFoq+9cV1Ni2ogiAMYnfF2d 7E85lv+nJiIDl0l/y/xqHYTBVlYQwtJ/6Cbt7WOr0jpWq7ot47Y0Whwffp4xZni4 kj85NPjL+5+uR24xWmD3UoSsZ2+GUUkLca01CPjI2A+uuY4cmXe9wJ9A5knby16q Y8O6VTie7LVu9ORlmYrhyTbxjubnwy0fbjmtaYy2rfyv1yOO4iyBBbG8qIBLzSUU Udl7RBwQFzah6BiPqYex1/0QoRKCgB4yPNe/I2qVy4uRX+znZMQ= =7wIz -----END PGP SIGNATURE-----