Vulnerability Disclosure Policy (VDP)

Version: 1.0
Date Issued: October 3, 2024
Effective Date: Immediately
Updated Date: April 3, 2024

​

Purpose

ABI Resources is committed to ensuring the security and privacy of our users, clients, and stakeholders by safeguarding digital information and maintaining secure information systems. This Vulnerability Disclosure Policy (VDP) provides guidelines for the ethical cybersecurity research community and members of the public to conduct responsible vulnerability discovery activities on ABI Resources’ public-facing systems. It establishes a clear process for submitting any discovered vulnerabilities to ABI Resources, ensuring they are used solely for defensive purposes such as mitigation and remediation.

​

Authorized Activities

Cybersecurity researchers, often referred to as "researchers," who comply with this policy in conducting vulnerability discovery activities directed at ABI Resources’ systems will be regarded as conducting authorized activities. ABI Resources will not take legal action against researchers who abide by this policy.

​

Overview

At ABI Resources, maintaining the security of our systems is critical to our mission of providing services to individuals with disabilities. Vulnerabilities discovered in our information systems can potentially pose risks to the privacy and safety of our clients. This policy facilitates open communication with the cybersecurity research community to improve ABI Resources’ security posture.

​

Vulnerabilities submitted to ABI Resources under this policy will be used solely to mitigate or remediate risks in our networks, services, or those of our vendors.

​

Researchers must fully understand, review, and agree to the guidelines in this policy before conducting any testing on ABI Resources’ systems and before submitting a report.

​

Scope of Policy

This policy applies to all ABI Resources systems and services that are accessible from the Internet. This includes all digital assets operated by ABI Resources. If there is any uncertainty about whether a system falls within the scope of this policy, researchers are required to contact ABI Resources at ABI@CTBRAININJURY.com before conducting any further testing.

​

General Guidelines

To ensure activities are authorized under this policy, researchers must adhere to the following:

1. Notify ABI Resources within 72 hours of discovering any actual or potential security vulnerabilities.

2. Avoid privacy violations, degradation of user experience, disruption to systems, or manipulation/destruction of data.

3. Limit testing to only those activities necessary to confirm a vulnerability.

4. Do not exploit vulnerabilities to compromise, exfiltrate, or alter data. Do not escalate privileges or establish command line access.

5. Do not perform lateral movement within ABI Resources’ network.

6. Do not introduce malware during testing.

7. Do not publicly disclose vulnerabilities without prior coordination with ABI Resources.

8. Submit meaningful reports and avoid high volumes of low-quality or false-positive submissions.

 

If sensitive data (e.g., personally identifiable information or proprietary information) is discovered during testing, researchers must stop and report the vulnerability immediately without further accessing the data.

​

Test Methods

• Testing must be limited to detecting vulnerabilities or identifying indicators of vulnerabilities in ABI Resources systems.

• No access or destruction of data: Researchers must not attempt to access, exfiltrate, delete, or modify ABI Resources data.

• No disruption of services: Researchers must avoid any activity that could impair access to ABI Resources systems.

• No public disclosure without permission: Disclosure of vulnerabilities is prohibited until the vulnerability has been remediated and explicit written authorization has been obtained from ABI Resources.

 

If at any time researchers are unsure whether to proceed with a certain activity, they must contact ABI Resources at ABI@CTBRAININJURY.com before continuing.

​

Reporting a Vulnerability

​

To submit a vulnerability report, researchers must provide a comprehensive summary of the discovered vulnerability, including:

​

• Description of the vulnerability and potential impact.

• Product, version, and configuration of any software or hardware affected.

• Step-by-step instructions to reproduce the issue.

• Proof-of-concept.

• Suggested mitigation or remediation actions, if available.

 

Vulnerability reports should be submitted to ABI@CTBRAININJURY.com. If sensitive material is being submitted, encryption is recommended for data protection.

​

By submitting a report, researchers agree to the terms of this policy and acknowledge that their communications with ABI Resources will be stored on ABI Resources' systems for the purpose of coordinating remediation.

​

What You Can Expect from Us

ABI Resources is committed to:

1. Acknowledging receipt of each vulnerability report within three (3) business days.

2. Investigating and validating vulnerabilities to ensure appropriate actions are taken to mitigate or remediate identified risks.

3. Maintaining open communication with researchers throughout the investigation process, including requests for additional information as necessary.

4. Providing feedback to the researcher regarding the resolution or progress of the vulnerability report.

 

ABI Resources will not initiate legal action against researchers who comply with this policy and will, where necessary, affirm to legal authorities that the research was conducted under authorized terms.

Activities Outside the Scope of this Policy

​

ABI Resources does not authorize activities that are outside the scope of this policy. Such unauthorized activities include, but are not limited to:

• Physical testing or social engineering (e.g., spear phishing, pretexting) of ABI Resources personnel or contractors.

• Denial-of-service (DoS or DDoS) attacks or any activity that impairs access to ABI Resources systems.

• Exploitation of vulnerabilities for malicious purposes, including establishing backdoors or command-line access.

• Testing involving systems or assets not owned or controlled by ABI Resources.

 

Researchers engaging in activities inconsistent with this policy may face legal or civil liabilities.

​

Modification or Termination of this Policy

ABI Resources may modify or terminate this policy at any time without notice. Researchers are responsible for ensuring they comply with the most current version of this policy.

Contact Information

For questions, concerns, or suggestions regarding this policy, or to report vulnerabilities, please contact us at:

ABI Resources
39 Kings HWY STE C
Gales Ferry, CT 06335
Phone: 860-942-0365
Email: ABI@CTBRAININJURY.com