Submitting a vulnerability
Terms of engagement for submitting a vulnerability
Anyone is encouraged to report a vulnerability that could be exploited in a cyber attack and thus affect the availability, integrity or confidentiality of Notarius' systems and technological infrastructures.
To this end, we adhere to the engagement and disclosure principles established by the Ministère de la Cybersécurité et du Numérique du Québec, which are described below.
Your motivations
The motives that justify your intervention must be ethical and have the objective of protecting or improving Notarius' systems and technological infrastructures, including the information they hold.
Your commitment
By submitting the Vulnerability Report form, you acknowledge that you have acted in a manner that contributes constructively to cybersecurity, in the public interest, and without malicious intent - for example, you are not seeking personal enrichment and you are not engaging in espionage to extract confidential information - since :
- you have reported, as quickly as possible, a vulnerability discovered in one of Notarius' systems or technology infrastructures;
- you did not conduct any tests with the intent to harm such systems and infrastructures or the information held, and did not exploit the vulnerability beyond the minimum required to demonstrate its existence
- You have applied the necessary measures to protect the information that you may have learned of during your intervention and have not compromised its integrity;
- during your intervention, you did not use, communicate or retain any data;
- you are not in violation of any Quebec or Canadian law, and you are not engaged in illegal acts such as social engineering, phishing, spamming or denial of service attacks;
- you have sought or will seek Notarius' permission before making public the vulnerability you have found and the details thereof, whether on social networks or through other means of communication
- you will not demand any compensation for your intervention.
Notarius' commitment
Notarius undertakes not to take legal action or file a complaint against you in connection with the report you submit, as long as you respect your commitment. Notarius is also committed to an open and safe dialogue about your vulnerability report.
Reporting a vulnerability
The preferred method of reporting a vulnerability is through the Vulnerability Reporting form. You may submit the form anonymously.
Notarius will review all reports made and all forms submitted.
If you provide contact information, Notarius may contact you to discuss the reported vulnerability.
Ineligible situations
Certain reported vulnerabilities may, at the discretion of Notarius, not be retained or processed, including:
- a non-exploitable vulnerability;
- a best practice recommendation on, but not limited to:
- missing security headers,
- banner input;
- a user interface anomaly;
- a user experience improvement;
- Spelling errors;
- Reports from automated scans.