ACCESS

Coordinated Vulnerability Disclosure (CVD) Policy DIDE.ORG EDUCATIONAL TECHNOLOGY S.L.

Introduction

At DIDE.ORG EDUCATIONAL TECHNOLOGY S.L. (hereinafter, “DIDE”), we recognize the critical importance of cybersecurity in maintaining the trust and security of our users, customers, and stakeholders. In fulfilling our commitment to security, we have established a Coordinated Vulnerability Disclosure (CVD) Policy. This policy is designed to facilitate the responsible identification, notification, and resolution of vulnerabilities in our systems, products, and services.

Our policy encourages collaboration with the security research community and defines clear procedures for communicating and addressing vulnerabilities. By working together with researchers and stakeholders, we seek to minimize potential risks, ensuring that vulnerabilities are managed in an agile and transparent manner. This approach not only strengthens our security posture but also reinforces our commitment to a secure environment for all users of our products and services.

Scope

This CVD policy applies to all digital assets managed by DIDE, including software, hardware, and cloud services. It covers vulnerabilities that may affect the security, confidentiality, integrity, or availability of these assets.

The policy applies to all products and services offered on our main website, as well as related systems that interact with our infrastructure. Third-party products or services that are not under the direct control of DIDE are excluded from this policy. Vulnerabilities detected in such systems should be reported to their respective manufacturers. Similarly, issues in obsolete or unsupported versions of our products are out of scope, unless they represent a significant risk to the ecosystem.

Designation and express submission of CNA

DIDE formally designates Edgewatch as its CNA (CVE Numbering Authority), being the sole and exclusive party responsible for coordinating, assigning, and publishing CVE identifiers in relation to vulnerabilities affecting the products, systems, and services managed by DIDE.ORG EDUCATIONAL TECHNOLOGY S.L.

Edgewatch will be responsible for verifying, classifying, and documenting each reported vulnerability that meets the criteria of the CVE system, in accordance with the rules established by MITRE and following the secure coordination guidelines defined in the National Cyber Incident Notification and Management Guide of the CCN-CERT.

DIDE is committed to actively collaborating with Edgewatch throughout the lifecycle of vulnerability management, providing the necessary technical information and acting on mitigation and response recommendations. The designation of Edgewatch as CNA will be public and effective from the entry into force of this policy.

Notification Guidelines

DIDE facilitates a simple and secure vulnerability notification process. The preferred method for reporting vulnerabilities is through the secure form available at https://disclosurealert.com/report. This form guides the user step by step, ensuring the efficient collection of the necessary information.

Reports are also accepted by email to the Edgewatch notification mailbox: security@edgewatch.com. We recommend encrypting messages using PGP. All notifications must include a detailed description of the vulnerability, the affected products or services, the steps to reproduce it, and, if possible, test code or screenshots.

Please refrain from making the vulnerability public until DIDE has had the opportunity to evaluate and remedy it. This approach allows us to protect users while collaborating with the reporting party.

Admissibility and Scope of Reports

DIDE values and encourages the responsible reporting of vulnerabilities that may significantly impact the security of our products and services.

However, certain types of vulnerabilities are out of scope due to their reduced impact. Examples: brute-force email enumeration, minor session management failures, and non-exploitable information leaks. For a complete list, see https://disclosurealert.com/kb/typically-out-of-scope-low-impact-vulnerabilities.

Also not included are failures in third-party services or products, or problems in old or unsupported versions of our software.

Rules of Engagement

  • Do not perform Denial of Service (DoS) tests that may degrade or disrupt services.
  • Physical access or social engineering is prohibited, including interactions with employees, customers, or collaborators.
  • Do not test third-party services integrated into our products or infrastructure.
  • Do not upload content to external platforms (such as GitHub, Dropbox, or YouTube) without prior authorization.
  • Use professional language in the attack vectors used for testing.
  • Stop at the point of recognition if a sensitive system or data is accessed, reporting immediately.
  • Document discreetly any findings without publicly identifying DIDE or its customers.

Acknowledgment and Response Process

Upon receiving a report, the DIDE security team will confirm receipt within a maximum of three business days. This initial confirmation will indicate that the report has been received and is being evaluated. Subsequently, a preliminary assessment (triage) will be performed to verify the validity of the vulnerability and its potential impact on our systems and users.

Throughout the management process, open and regular communication will be maintained with the researcher, providing updates on the status of the analysis, corrective actions, and the final result. Once the vulnerability has been corrected, the reporting person will be informed, and the possible public disclosure will be coordinated within an agreed timeframe.

Disclosure Policy

DIDE is transparent in its management of vulnerabilities. Vulnerabilities will be publicly disclosed only once they have been mitigated and protective measures have been applied. The decision on when to disclose will be agreed upon with the reporting person, taking into account the risk and the existence of a solution.

In cases of immediate and significant risk, DIDE may expedite the disclosure process to alert users as soon as possible. If the risk is low, publication may be delayed until a comprehensive solution is available.

Relevant notifications will adhere to the National Cyber Incident Notification and Management Guide of the CCN-CERT.

Legal Protection and Principles of Good Faith

DIDE protects researchers who act in good faith in accordance with this policy. No legal action will be taken against those who report in compliance with these guidelines and current regulations. This provision promotes an environment of collaboration and trust with the security community. The goal is that investigations can be carried out without fear of retaliation if they conform to the established legal and technical framework.

Communication and Coordination

DIDE actively collaborates with Edgewatch, designated as a CVE Numbering Authority (CNA) by the CVE® Program under the tutelage of INCIBE. If the report meets the requirements of the CVE system, Edgewatch will assign the corresponding identifier. This number allows it to be tracked in the cybersecurity community and facilitates a coordinated response both within DIDE and in the rest of the sector.

During the process, Edgewatch will coordinate with DIDE and maintain continuous and fluid communication with the researcher to inform them about the status of the evaluation, the possible assignment of a CVE identifier, as well as the remediation measures adopted. This communication will adhere to the principles of cooperation established by the National Cyber Incident Notification and Management Guide of the CCN-CERT, ensuring adequate, responsible, and coordinated management of the vulnerability.

Remediation and Mitigation

Once a vulnerability has been verified, DIDE is committed to addressing it as quickly as possible. Remediation begins with a technical assessment of the scope and severity of the failure, followed by the development and deployment of patches, updates, or other containment measures.

As part of the process, affected users will be notified with detailed instructions on how to apply these solutions or mitigate the risk temporarily. The goal is to ensure that vulnerabilities are not only resolved quickly but also that users can act informed and safely.

Review and Continuous Improvement

At DIDE, we believe that continuous improvement is essential to maintaining a strong cybersecurity posture. Therefore, this CVD policy is regularly reviewed to ensure its suitability to industry best practices, the evolving threat landscape, and current regulatory requirements.

We encourage the research community to send comments and suggestions that help us improve our processes. With each review, we reinforce our commitment to the security and integrity of our products, services, and users.

Coordinated Vulnerability Disclosure (CVD) Policy of DIDE.ORG EDUCATIONAL TECHNOLOGY S.L.

Effective date: May 29, 2025

Last updated: May 29, 2025

Version: 1.0

Contact information

For any questions or to submit a vulnerability report, please contact the Edgewatch security team at security@edgewatch.com or visit our security page for more information.