Overview

This Code of Conduct documents the expectations for users of VINCE and coordinated vulnerability disclosure processes led by the CERT/CC.

Harassment: We define harassment as unwelcome or hostile behavior, including but not limited to speech that intimidates, creates discomfort, or interferes with a person's participation or opportunity for participation; verbal threats or demands; degrading language; intimidation; harassing photography, screen shots, or audio or video recording; inappropriate physical contact; sexual imagery; unwelcome sexual attention; stalking; unsolicited physical contact; and sustained disruption of the coordination process, including case handling workflows, presentations, and other events. Similarly, encouraging others to engage in such behavior is not permitted, nor are false accusations of harassment.

VINCE platform: The software service that the CERT/CC provides to enable its coordinated vulnerability disclosure practice.

VINCE user: Any user of the VINCE platform, including CERT/CC analysts, researchers, vendors, and other participants.

CERT/CC analyst: Individuals authorized to represent the CERT/CC within the VINCE platform.

VINCE Code of Conduct

Successful vulnerability coordination requires an open exchange of ideas. Open exchange is only possible in an environment that fosters dignity, understanding, and mutual respect, and where participants recognize the inherent worth of every person and group. 

Harassment is never appropriate.

We pledge to make participation in our community a harassment-free experience for everyone.

In particular, we will not tolerate harassment that targets persons or groups based on attributes including but not limited to: age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.

We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.

We have adopted this code of conduct to define the behaviors we support (and don't support) in our vulnerability disclosure coordination practice.

We expect VINCE users to follow this code of conduct. We expect offenders who are asked to stop their harassing behavior to comply immediately.

We do not tolerate any form of harassment or offensive behavior in the context of our coordinated vulnerability disclosure practice, which includes the VINCE platform.

If a VINCE user engages in harassing behavior, the offender may be suspended from further participation in the VINCE platform.

Scope

This Code of Conduct applies across the VINCE platform, however we expect and encourage respectful and non-harassing behavior from all parties we engage with.

Reporting abuse

Instances of harassment may be reported to the CERT/CC using the private message to CERT/CC mechanism within VINCE. All complaints will be reviewed and investigated promptly and fairly.

Instructions for using the private message feature of VINCE can be found here.

All CERT/CC analysts are obligated to respect the privacy and security of the reporter of any incident.

Examples of behavior that contributes to a positive environment for our community include:

  • Demonstrating empathy and kindness toward other people
  • Being respectful of differing opinions, viewpoints, and experiences
  • Giving and gracefully accepting constructive feedback
  • Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
  • Focusing on what is best not just for us as individuals, but for the overall community

Examples of harassment include:

  • The use of sexualized language or imagery, and sexual attention or advances of any kind
  • Trolling, insulting or derogatory comments, and personal or political attacks
  • Public or private harassment
  • Publishing others' private information, such as a physical or email address, without their explicit permission
  • Other conduct which could reasonably be considered inappropriate in a professional setting



Responsibilities

The CERT/CC is responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that the CERT/CC deems inappropriate, threatening, offensive, or harmful.

CERT/CC analysts have the right and responsibility to remove, edit, or reject comments, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.

Corrective actions to the violations of the VINCE Code-of-Conduct may include: private or public warnings, a temporary ban, or even a permanent ban from the system. The CERT/CC will consider these and other options to encourage a cooperative vulnerability coordination and disclosure process.

Persistent or recurring offenses from multiple members of an organization may result in consequences for the organization as well.

References

Portions of this document are adapted from