Policy #2

Vulnerability Disclosure Policy

Introduction
Arise Software Ltd. is dedicated to developing and supporting systems that assist Māori organisations in the administration and process of grants and distributions to landowners and descendants. Ensuring the security of our systems is a top priority, and we value the role of security researchers in helping us maintain this security.

Scope
This policy applies to any digital assets owned, operated, or controlled by Arise Software Ltd., including our websites and other online services.

Reporting a Vulnerability
If you believe you have discovered a vulnerability in any of our systems, we encourage you to report it to us as soon as possible. Please include as much information as possible, including:
– A description of the issue
– Steps to reproduce the vulnerability
– The system used (e.g., operating system, browser, etc.)
– Account/login details if applicable
– Any relevant screenshots or logs

Contact Information
Please report vulnerabilities via email to: support@arisesoftware.co.nz
Your report will be handled by David.

Acknowledgment and Response
We aim to acknowledge receipt of your report as soon as possible, typically within 48 hours. We dedicate the necessary time to resolve each reported vulnerability and will keep you updated on our progress.

Vulnerability Disclosure Process
1. **Submission**: Send your report to support@arisesoftware.co.nz with the necessary details as mentioned above.
2. **Acknowledgment**: We will acknowledge receipt of your report within 48 hours.
3. **Validation**: Our security team will validate and reproduce the issue.
4. **Resolution**: We will work to resolve the vulnerability as quickly as possible, keeping you informed of our progress.
5. **Disclosure**: We will notify you when the vulnerability has been resolved and discuss any necessary public disclosure.

Legal Aspects and Confidentiality
We will handle all reports in accordance with applicable laws. We are committed to protecting your privacy and will treat your report confidentially. We will not share your personal information without your consent, except as required by law. We request that you do not publicly disclose the vulnerability until we have had an opportunity to address it.

Recognition
As a token of our appreciation, we offer personal recognition for significant vulnerability reports. This may include a personal phone call or a visit, where possible, to thank you for your contribution.

Review and Update
This policy will be reviewed and updated by David as required.

Password Requirements

Our cloud system access codes are set by us and provided to you either by email or txt message.

  1. Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
  2. Be at least seven characters in length
  3. Contain characters from three of the following four categories:
  4. English uppercase characters (A through Z)
  5. English lowercase characters (a through z)
  6. Base 10 digits (0 through 9)
  7. Non-alphabetic characters (for example, !, $, #, %)
  8. Complexity requirements are enforced when passwords are changed or created.