4 - Policies
4.1 - Types of Incident and Levels of Support
The level of support provided by the OutSystems CSIRT Team will vary depending on the type and severity of the incident or issue, the type of constituent, the affected scope, and OutSystems CSIRT resources. Resources will be assigned according to the following priorities:
- Threats to the physical safety of human beings
- Denial of service attacks on OutSystems client infrastructures, support systems, or public systems
- Root or system-level attacks on OutSystems client infrastructures, support systems or public systems
- Compromise of restricted confidential service accounts or software installations on any of OutSystems client infrastructures or OutSystems support system
- Any threats, attacks or compromises at other sites that originate from the OutSystems network
- Large-scale attacks of any kind
- Compromise of individual user accounts
- Threats, harassment, and other criminal offenses involving individual user accounts
- Compromise of end-user devices
- Forgery, misrepresentation, and other security-related violations of local rules and regulations
- Denial of service on individual user accounts
If required, OutSystems CSIRT will also provide support in the form of analysis, documentation and intervention (if required) of any vulnerability found or reported that affects OutSystems. Incident types not specified here will be prioritized according to their apparent severity, impact, and extent.
4.2 - Cooperation, Interaction and Disclosure of Information
All received information is handled as confidential, regardless of its priority.
When reporting incidents that have sensitive information, be explicit (for example, by using the label SENSITIVE) and, if possible, encrypt it using the OutSystems CSIRT PGP Key, available from the link in section 2.7 of this document.
Although there are legal and ethical restrictions on the flow of information from OutSystems CSIRT, some of which are specified in OutSystems policies, all reports will be respected; OutSystems CSIRT acknowledges its indebtedness to and declares its intention to contribute to the spirit of cooperation that created the Internet. Therefore, though appropriate measures will be taken to protect the identity of members of our constituency and members of involved third parties where necessary, OutSystems CSIRT will otherwise share information freely when this will help others resolve or prevent security incidents.
Information will be released based on the following considerations:
- Private user information is considered confidential Information and, as such, will not be released unless disguised or otherwise hidden.
- Intruder information is similar to private user information, and the same rules apply.
- Information that concerns third-party systems, sites, or other technological assets will not be released without the permission of the affected third party.
- Technical information about vulnerabilities and attacks that affect third-party vendors, including fixes and workarounds, will be released freely after contacting the affected third parties and after allowing sufficient time for the implementation of patches or fixes.
- Vulnerability information about OutSystems is considered technical information about vulnerabilities or attacks. This information will be divulged freely after proper mitigation, patches, and/or hotfixes are available for deployment.
- Information considered embarrassing (e.g. statements that an incident has occurred) to OutSystems, OutSystems partners or any third party, will not be released without the permission of the affected parties.
OutSystems CSIRT will only share the necessary information with involved parties or publicly as required to resolve or prevent security incidents.
4.3 - Communication and Authentication
In view of the types of information that the OutSystems CSIRT will likely be dealing with, telephones will be considered sufficiently secure to be used, even when unencrypted. Unencrypted email will not be considered secure, but will be sufficient for the transmission of low-sensitivity data. Sensitive data sent by email must be encrypted by the OutSystems CSIRT PGP key.
Online ticketing tools will be considered sufficient for transmitting sensitive information if proper user access segregation is implemented.
Network file transfers will be considered to be similar to email: sensitive data must be encrypted for transmission.
When establishing trust is necessary, the identity of the other party will be ascertained to a reasonable degree of trust. Appropriate methods will be used, such as a search of FIRST members, the use of WHOIS, and other Internet registration information, along with telephone call-back or email mail-back to ensure that the party is not an impostor. Incoming email with data that must be trusted will be checked with the originator or by means of digital signatures.