Skip to main content

Responsible Disclosure Policy

We take the security of our technical infrastructure very seriously. If you nevertheless come across something that you regard as a vulnerability in one of our technical systems or services, please let us know straight away, so that we can rectify the situation as soon as possible.
As we are part of an academic and research institution (public institution), we cannot offer you monetary or other similar rewards for your findings. Additionally, we do not have a “Hall of Fame” page. However, we are really grateful to you for your contribution to improve our cyber security.

Have you found a vulnerability?

To prevent any kind of abuse by others of the potential vulnerability, we ask to respect the following guidelines of our Responsible Disclosure Policy:

  • Mail your observations as soon as possible to dns@register.si. You can send this in two languages: English or Slovenian.
  • Encrypt your message using our dns@register.si PGP key so that the information can’t fall into the wrong hands.
  • In your message, be complete and provide as much information as you can, so that we have the best possible chance of reproducing and resolving the problem you have encountered. In most cases, the IP address or URL of the system in question plus an outline of the vulnerability will be enough. However, a complex issue may require a detailed description (including screenshots, log entries, etc.).
  • When reporting an issue, include at least a valid e-mail address that we can use to get in touch if we need additional details or clarification.
  • Do not alter any data or system settings. Please ensure that any research you perform does not harm the operational performance of our systems. DDOS, social engineering attacks, installation of malware or viruses, password theft, fraud, etc. will be considered as an offense and will be transmitted to the authorities.
  • Don’t share what you’ve found with anyone else until we’ve resolved the problem.
  • Destroy any confidential information that may have come into your possession.
  • Act responsibly with your knowledge of the security issue. Go no further than you should to in order to demonstrate the vulnerability to us. Don’t misuse the encountered security problem.

What can you test?

Suspected security vulnerabilities that can be misused for illegal purposes and which occur:

What can you expect from us?

  • If you follow the conditions set out above when reporting an issue to us, we will attach no legal consequences related to your research of that issue.
  • We appreciate your help in optimizing the security of our systems and networks. That’s why we will do our most to have all contacts in a fair and respectful way:
    • We will treat your report as confidential and we will not share your personal details with any third party without your consent, unless we are obliged to do so by law or by a court ruling.
    • We will get in touch with you within 10 working days (if you provided us valid contact information).
  • We will undertake any necessary corrective action as soon as we can and we will seek to resolve all issues as quickly as possible.

Finally

  • If you find a vulnerability, but do not follow the responsible disclosure rules set out above, we reserve the right to take action or legal proceedings and/or to report the matter to the police.
  • Responsible disclosure is revealing vulnerabilities in a responsible manner in joint consultation between you and Registry .si based on this responsible disclosure policy.

Responsible disclosure policy version 2.1, dated 24 June 2024.

(*) In the drafting of this text, we have used the following templates provided by Floor Terra and Bugcrowd: