The Caribbean CSPA wants all users browsing our websites to know we care about their security and continuously improve our security controls across all our websites. Below are some of the controls in place to protect users.
- Encrypted communications between users' browsers and websites by using HTTPS with good configuration.
- Security Headers that help to enforce HTTPS, restrict unauthorised content and block user-based attacks such as Click-jacking, and Cross-site scripting Filters malicious requests targeting applications based on known and unknown attacks.
- Periodic web vulnerability scans (automated and manual). Independent security checks from a close team of volunteer cyber security professionals.
- Welcomes responsible communication of security issues discovered by anyone browsing our sites.
- A security.txt file to guide security researchers as part of the .security.txt initiative.
For security researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below.
- Use the identified communication channels to report vulnerability information to us
- Share discovered vulnerabilities only using the contact methods listed at the Contact page HERE.
If you follow these guidelines when reporting an issue, The Caribbean CSPA commits to:
- Not pursuing or support any legal action related to your research.
- Working with you to understand resolve the issue quickly.
- Recognizing your contribution on the Security Researcher Hall of Fame, if you are the first to report the issue and he has to make a code or configuration change based on the issue.
Out of scope
Any host not explicitly listed above.
In the interest of users and you as a security researcher, the following test types are not permitted or encouraged:
- Testing focused on social engineering (e.g. phishing, vishing)
- Testing of systems not listed in the ‘Scope’ section
- Any form of Denial of Service (DoS/DDoS) testing
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of the in-scope websites, please send it to us by email as either plain text or PDF to [email protected] Please include the following details with your report:
- Description of the issue and the affected URL/IP.
- Proof of concept to reproduce the vulnerability (e.g. screenshots)
- Your name/social media handle
Security configurations are continuously improved in line with good industry practices and developments. Although The Caribbean CSPA's websites are not under any type of regulatory or legal requirements, we continuously apply good security practices to protect all websites and users from harm.
This Security Policy was last updated on June 8, 2020. This policy can change without notice but will always ensure users and researchers have clear information about security when browsing any website of The Caribbean Cyber Security and Privacy Association (CSPA) Ltd.
Businesses helping to fund our support to The Caribbean.