Responsible Disclosure Policy

Our commitment

At RIPE NCC we are working hard to keep our systems and data secure. If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner.

Find out how to report a vulnerability below.

Our responsible disclosure policy is not an invitation to actively hack and potentially disrupt our company network and online services. The RIPE NCC reserves the right to initiate legal action against researchers for penetrating or attempting to penetrate our systems if they do not adhere to this policy.

Scope

The following RIPE NCC services, assets and IP ranges are in scope of our responsible disclosure policy. Below you can see the table of all in scope and out of scope services.

In scope	Exclusions
*.ripe.net	.probes.atlas.ripe.net .anchors.atlas.ripe.net Any .ripe.net host located outside of the in-scope IP ranges List of public directories: Almost all public directories found under ripe.net domain and the data in it are expected to be public, some examples: ftp.ripe.net data-store.ripe.net www-static.ripe.net/

In scope	Exclusions
RIPE NCC owned assets	Public directories (many of them are supposed to be public)

In scope	Exclusions
RIPE NCC IP Range	193.0.0.160/27 RIPE Meeting network (2001:67c:64::/48 and 193.0.24.0/21) 2001:67c:2e8:3::/64

How to report a vulnerability

We are running our bug bounty program, utilising the ethical hacking and bug bounty platform of Intigriti. Intigriti is a european based, cost efficient platform which is actively utilised by the security researchers community.

Participating in our public bug bounty program is straightforward. Here's how:

You can visit https://app.intigriti.com/programs/ripencc/ripenccvdp.
Review our program guidelines, scope, and rules.
Commence testing our systems and promptly report any vulnerabilities you identify, following our responsible disclosure process.

Rewards and Recognition

To express our gratitude to the security researchers who help us to keep RIPE NCC services secure, we offer rewards and recognition, including:

- Bounties for valid reports
- Acknowledgement in our Hall of Fame for top contributors
- Opportunities for responsible disclosure coordination

If a security researcher does not wish to participate in the formal bug bounty program with Intigriti, you can report security issues to us directly by emailing the findings to [email protected]. Submitting a notification under a pseudonym is allowed. If a researcher would like to encrypt the email, our public PGP key can be used.

Unacceptable types of security research

While we encourage each security researcher to discover and report any vulnerabilities they find to the RIPE NCC in a responsible manner, the following conduct is expressly prohibited:

Performing actions that may negatively affect the RIPE NCC or its users (e.g. any form of Denial of Service attacks)
Accessing, or attempting to access, data or information that does not belong to the researcher
Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to the researcher
Conducting any kind of physical or electronic attack on RIPE NCC personnel, property or data centres
Using social engineering to target any RIPE NCC employee
Violating any laws or breaching any agreements in order to discover vulnerabilities

Exclusions

The following list of issues have already been reported to our Security team, have been reviewed, and deemed out of scope for the purposes of this programme. Please do not report any of the following classes of issues. Unless there are exceptional circumstances or novel attacks, these issues will be rejected:

Missing, or not 'properly' configured SPF, DKIM or DMARC records
The presence of public services such as robots.txt or FTP (e.g. ftp.ripe.net)
The availability of DNS zone transfers
Reports of old software versions without a working Proof of Concept of an exploit
Malicious activity originating from IP address space in the RIPE region, but not used by the RIPE NCC. Being a Regional Internet Registry we frequently receive abuse reports for Internet resources (IP addresses and AS numbers) which we are not responsible for. You can find abuse contacts on our website.

This is not an exclusive list. If a researcher reports a vulnerability that has already been reported by someone else, the researcher will be informed. In that case the researcher is not eligible for our Security Hall of Fame or a bounty from our bug bounty program.

What we ask from you

Please do not share the issue with others until it has been resolved
Please do not publish anything about the resolved issue unless this has been discussed with us
Please provide sufficient information with clear steps to reproduce the issue so that we can resolve it as soon as possible
Please delete all confidential information obtained through the vulnerability as soon as possible after reporting it, but always after consulting us to make sure that we can reproduce the issue

What we promise

We will act with urgency and necessary resources to resolve the issue
We will strive to respond to your report within three business days with our evaluation of the report and an expected resolution date
We will handle your report with strict confidentiality and not pass on your personal details to third parties without your permission
After a major security issue has been solved, we will publish a report on our website explaining the vulnerability discovered and how we fixed it on a case by case basis.
If you agree to have your name used in the report, we will credit you. Note that we will only credit the first person who reported a specific vulnerability to us

After your vulnerability report is verified, the security team will inform you if you are eligible to be mentioned in our Security Hall of Fame.