Responsible Disclosure

At Gorman Consulting, we consider the security of our systems—our computers, servers, websites, etc.— a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities (i.e., weaknesses or flaws) present. If you discover a vulnerability (e.g., unpatched software, open ports, misconfigured security settings), we would like to know about it so we can address it before there is an incident. Below, we summarize instructions for what you should do if you identify a vulnerability followed by how we will respond.

If you identify a vulnerability, we kindly ask that you: 

  • E-mail a description of the issue to security@gormanconsulting.org, including sufficient information to reproduce the problem. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation. 
  • Not take advantage of the vulnerability or problem you have discovered. For example, refrain from downloading more data than necessary to demonstrate the vulnerability or deleting/modifying/sharing other people’s data.
  • Not reveal the problem to others until it has been resolved.
  • Do no harm.

In response, we will: 

  • Respond to your report within 5 business days with our evaluation of the report and an expected resolution date. We will subsequently keep you informed on our progress. 
  • Not take any legal action against you if you have followed the instructions above.
  • Handle your report with strict confidentiality and not pass on your personal details to third parties without your permission.
  • For public disclosure concerning the problem reported, give your name as the discoverer of the problem (unless you desire otherwise).
  • As a token of our appreciation, offer a reward for issues that 1) were not yet known to our security team and 2) have a contextualized vulnerability score of medium or higher according to the NIST CVSS 4.0 framework. The amount of the reward will be determined based on the severity of the leak and the quality of the report with a minimum of $50.

Please don’t hesitate to reach out to the email above with any questions.

search previous next tag category expand menu location phone mail time cart zoom edit close