External Vulnerability Disclosure Policy
Sureway Health and Wellbeing is committed to ensuring the security and privacy of its systems and data. We value the security community’s assistance in identifying and addressing potential vulnerabilities in our systems. This External Vulnerability Disclosure Policy outlines the process for reporting security vulnerabilities to Sureway Health and Wellbeing and sets expectations for responsible disclosure.
This policy aims to:
- Security Enhancement: The primary objective is to enhance the security of a Sureway’s systems, applications, and services by leveraging the collective expertise of security researchers and the security community to identify and report potential vulnerabilities.
- Proactive Risk Mitigation: Encourage the proactive identification and mitigation of security vulnerabilities before they can be exploited by malicious actors, thereby reducing the Sureway’s exposure to security risks.
- Transparency: Promote transparency by providing a clear, structured, and documented process for external individuals, security researchers, and the public to report security issues. This transparency builds trust with the security community.
This Policy applies to all full time, part time and casual employees, any other people doing work on behalf of Sureway Group and its related entities (including licensees, contractors and sub-contractor staff).
Policy statement – Reporting Vulnerabilities
If you believe you have discovered a security vulnerability within Sureway Health and Wellbeing’s systems, please follow these steps:
To report a vulnerability, please send an email to [email protected], which is our dedicated security contact. Additionally, you can refer to our ‘security.txt’ file for alternative contact information. Our ‘security.txt’ file is located at https://surewayhealthwellbeing.com.au/.well-known/security.txt.
In your report, include the following information:
- A detailed description of the vulnerability, including the affected system or component.
- Steps to reproduce the vulnerability, including any required configurations or conditions.
- Proof-of-concept (PoC) or exploit code, if applicable.
- Any supporting documentation or relevant details.
Provide Your Contact Information
We need a way to contact you for follow-up and coordination, so please provide your name and a valid email address.
Once we receive your vulnerability report, we will acknowledge receipt within 48 hours. Our security team will review the report and conduct an initial assessment of the vulnerability.
The Sureway IT Security Team will work diligently to:
- Confirm the existence of the vulnerability.
- Assess the severity and potential impact of the vulnerability.
- Develop a plan to remediate the vulnerability.
Acknowledgment and Credit
Sureway Health and Wellbeing acknowledges and appreciates the efforts of security researchers and individuals who responsibly disclose vulnerabilities. Depending on the severity and impact of the vulnerability, we may provide public acknowledgment and credit for your responsible disclosure, with your consent.
Sureway Health and Wellbeing is committed to protecting security researchers and individuals who report vulnerabilities. We will not pursue legal action against individuals who follow this disclosure policy and act in good faith. However, this policy does not grant immunity for illegal activities or any violation of applicable laws.
Sureway Health and Wellbeing will treat all vulnerability reports and related communications as confidential information. We request that security researchers also maintain confidentiality until we have resolved the issue.
Feedback and Questions
If you have feedback or questions regarding this policy, please contact us at [email protected].
Sureway Health and Wellbeing appreciates your dedication to improving the security of our systems. Your cooperation in following this External Vulnerability Disclosure Policy is essential to maintaining a secure environment for our organization and our users.
Thank you for your commitment to responsible disclosure.
Reference legislation and standards
Privacy Act 1988 (Cth)
Notifiable Data Breaches (NDB) Scheme: Under the Privacy Act
Cybersecurity Act 2020 (Cth)
Sureway Health and Wellbeing is a division of the Sureway Group
Established in 1991, Sureway started as a local training provider in Wagga Wagga, New South Wales. Our mission has always been to collaborate closely with businesses across different sectors, enhancing their operations by upgrading the skills of their current and future workforce. Through identifying and fulfilling the unique needs of each business, we help level-up their performance and create long-term opportunities for communities.