Complete Licensing is committed to addressing and reporting security issues through a coordinated and constructive approach designed to provide the greatest protection for our customers, partners, staff, and all internet users.

A security vulnerability is a weakness in our systems or services that may compromise their security. This policy applies to security vulnerabilities discovered anywhere by both Complete Licensing staff and by others using Complete Licensing services. The responsibility for this policy lies with the senior management team of Complete Licensing, who will review it annually. All day-to-day staff must follow this policy and will receive regular training on how to adhere to it.

 

Reporting Vulnerabilities

If you believe you have discovered a vulnerability in one of our services or have a security incident to report, please email [email protected]. Our PGP key is available here to allow encrypted communication if you prefer.

When submitting a vulnerability report, please include:

  • The website, IP, or page where the vulnerability can be observed.
  • A brief description of the type of vulnerability, such as an ‘XSS vulnerability’.
  • Steps to reproduce: These should be benign, non-destructive proof of concepts. This helps ensure that the report can be triaged quickly and accurately.

 

What to Expect After Reporting

Once we have received a vulnerability report, Complete Licensing takes a series of steps to address the issue:

  • We will provide prompt acknowledgment of receipt of your report of the vulnerability.
  • We request that the reporter keeps any communication regarding the vulnerability confidential.
  • We will work with you to understand and investigate the vulnerability.
  • We will provide a timeframe for addressing the vulnerability.
  • We will notify you once the vulnerability has been resolved, allowing for retesting by the reporter if needed.
  • We publicly announce the vulnerability in the release notes of the update. Additional public announcements, such as via social media, may also be issued.
  • Release notes (and blog posts when issued) will include a reference to the person/people who reported the vulnerability unless the reporter(s) would prefer to remain anonymous.

 

Complete Licensing will endeavour to keep the reporter informed of every step in this process as it occurs.

 

Rules of Engagement

You must NOT:

  • Break any applicable laws or regulations.
  • Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
  • Use high-intensity invasive or destructive technical security scanning tools that could impact the quality of service of Complete Licensing infrastructure or services.
  • Engage in physical testing of facilities or resources or perform social engineering on Complete Licensing.
  • Attempt or report any form of denial of service, such as overwhelming a service with high-volume requests.
  • Submit reports detailing TLS configuration weaknesses, such as “weak” cipher suite support or the presence of TLS 1.0 support.
  • Demand financial compensation before or after disclosing any vulnerabilities.

 

You must also not disclose any vulnerability found within a Complete Licensing system, website, or application to third parties or the public before Complete Licensing has confirmed that those vulnerabilities have been mitigated or remediated. This does not prevent you from notifying a vulnerability to third parties for whom the vulnerability is directly relevant; it is to maintain confidentiality of communications and ensure Complete Licensing systems remain protected until the vulnerability has been remediated.

 

You must:

  • Always comply with data protection rules and must not violate the privacy of Complete Licensing users, staff, contractors, services, or systems. You must not, for example, share, redistribute, or fail to properly secure data retrieved from the systems or services.
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practices. It does not give you permission to act in any manner that is inconsistent with the law, or that might cause Complete Licensing to breach any of its legal obligations, including but not limited to:

  • The Computer Misuse Act (1990)
  • The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
  • The Copyright, Designs and Patents Act (1988)
  • The Official Secrets Act (1989)

 

Complete Licensing will not seek prosecution of any security researcher who reports any security vulnerability in a Complete Licensing service or system where the researcher has acted in good faith and in accordance with this disclosure policy.

Schedule an appointment

We want you to know that we’re here to help. We have the resources, the knowledge and the experience to help you. 
Call us today to schedule your first appointment.