Campus 365 is committed to resolving security susceptibilities quickly and carefully. Such resolutions may lead to the release of a Security Advisory and/or any needed product update for our customers. In order to protect our customers and their data, we request that susceptibilities be responsibly and confidentially reported to us so that we may investigate and respond. susceptibilities should not be announced until we have developed and comprehensively tested a product update and made it available to licensed customers.
Campus 365 products are complex. They run on diverse hardware and software configurations and are connected to many third-party applications. All software modifications – big or small -- require thorough analysis, as well as development and implementation across multiple product lines and versions. The software must also undergo localization, accessibility, and be testing appropriate to its scope, complexity, and severity. Given the critical importance of our products to our customers, Campus 365 must ensure that they run correctly not only in our testing facilities but also in customer environments. Accordingly, Campus 365 cannot provide product updates according to a set timeline -- but we are committed to working expeditiously.
Malicious parties often exploit software susceptibilities by reverse engineering published security advisories and product updates. It is important for customers to update software promptly and use our severity rating system as a guide to better schedule upgrades. Therefore, public discussion of the susceptibility is only appropriate after customers have an opportunity to obtain product updates.
Testing For Security Susceptibilities
You should conduct all susceptibility testing against non-production instances of our products to minimize the risk to data and services.
Reporting A Susceptibility
- Confidentially share details of the potential susceptibility by sending an email to hello@campus365.io
- Provide details of the potential susceptibility so the Campus 365 security team may validate and reproduce the issue quickly.
Without the above information, it may be difficult if not impossible to address the potential susceptibility. Reports listing numerous potential susceptibilities without detail will not be addressed without further clarification. Details should include:
- Type of susceptibility;
- Whether the information has been published or shared with other parties;
- Affected products and versions;
- Affected configurations; and
- Step-by-step instructions or proof-of-concept code to reproduce the issue.
Campus 365 Security Commitment
To all susceptibility reporters who follow this Policy, Campus 365 will attempt to do the following:
- Acknowledge the receipt of your report.
- Investigate in a timely manner, confirming where possible the potential susceptibility.
- Provide a plan and timeframe for addressing the susceptibility, only if appropriate, and
- Notify the susceptibility reporter when the susceptibility has been resolved.
Acknowledging Contribution
With the agreement of the susceptibility reporter, Campus 365 may acknowledge the reporter's contribution during the public disclosure of the susceptibility so long as the reporter complies with this policy. Campus 365 does not compensate for reporting security susceptibilities.
Changes In Policy
Campus 365 is committed to improving its security policy and as such, may update or amend this policy at any time with or without notice to you. If you have any questions regarding this policy, please email us at hello@campus365.io