Security Policy of philip.media

Purpose

The purpose of this security policy is to protect the integrity, the information and the security in general of the projects of philip.media.

philip.media is a private project, which opperates as philip.media, JokeNetwork, VeganCheck, cldsi.de and other names. The goal is to develop front-end, video-, photo- and other multimedia-solutions, mainly for the educational sector, but also for various other areas.

This policy informs contributors to philip.media projects and external parties (such as security researchers) of the principles that govern the possession, use, and destruction of philip.media information.

Objectives of the Security Policy

• Protect information from unauthorized access or misuse
• Ensure the confidentiality of information
• Maintain the integrity of information
• Maintain the availability of information/information systems for the provision of services
• Regulatory, contractual and legal requirements are met
• When information is no longer useful, it is disposed of in an appropriate manner

Report vulnerabilities

Known or unknown security vulnerabilities in philip.media projects may be reported to philip.media as part of a Responsible Disclosure Procedure and should follow the Vulnerabilty Disclosure Policy.

The contact details required for this can be found in our security.txt. Alternatively, security vulnerabilities can be reported on GitHub as an issue, should they not allow critical data retrieval.

Verified security vulnerabilities reported to us will be fixed as soon as possible and the responsible security researchers will be listed at Acknowledgments.

Dealing with reported vulnerabilities

Reported vulnerabilities are checked for reproducibility as quickly as possible. This is usually done within one day. The reporting body is then notified and the further procedure, including when the vulnerability can be expected to be closed, is communicated.

This is followed by a check of how long the security gap has existed and whether data could be retrieved.

If it was (theoretically) possible to retrieve data, the Bavarian State Data Protection Commissioner is notified and all potentially affected parties are also informed by e-mail.

Depending on the scope, the CERT Bund and, if necessary, other bodies will be notified.