Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Responsible Disclosure Policy

    Introduction

    Ex Libris provides cloud services for customers using Ex Libris products. Ensuring the security of cloud services is critical for Ex Libris. To this end, Ex Libris undertakes security audits, vulnerability assessments and penetration tests to protect our cloud solutions and customers. As part of maintaining a high level of global security and privacy protection of the cloud infrastructure, Ex Libris also strongly values and welcomes customer cooperation in bringing security concerns and issues to Ex Libris’ attention in a responsible manner.

     

    Purpose and Scope

    The purpose of this policy is to define the method by which Ex Libris can work with the user community to improve security and mitigate vulnerabilities for Ex Libris services. This policy applies to all systems, personnel, and data at Ex Libris. 

     

    Responsible Disclosure Policy

    Ex Libris encourages you to identify and report to Ex Libris, in a responsible manner, any vulnerability, security or privacy issue that a user may find during the use of Ex Libris’ services, while adhering to the following policy. In all cases, any issues found should be promptly reported to Ex Libris and may not be abused, exploited or shared.

    Ex Libris does not encourage or permit users or any third parties (other than those retained by Ex Libris for such purpose) to perform penetration testing or any other types of vulnerability testing of its cloud and cloud solutions.

     

    Reporting a Vulnerability

    To report a vulnerability found in an Ex Libris service, submit your vulnerability report as soon as possible after discovery. 

    This can be done by

    • Privately sharing details of the suspected vulnerability with Ex Libris Chief Information Security Officer (CISO) by sending an email to SecurityOfficer@exlibrisgroup.com.
    • Providing full details of the suspected vulnerability so the Ex Libris security team may validate and reproduce the issue.

     

    Once you have identified a vulnerability with an Ex Libris service, we request that you:

    • Do not abuse or exploit discovered vulnerabilities in any way for any purpose;

    • Do not share discovered vulnerabilities with any entities or persons other than Ex Libris and its employees until after Ex Libris has confirmed that vulnerability has been resolved;

    • Do Not Perform actions that may negatively affect Ex Libris or its users (e.g. Spam, Brute Force, Denial of Service);

    • Avoid violating the privacy of others, violating the law, disrupting our systems, destroying data, and/or impacting user experience;

    • Provide us with adequate information to enable us to investigate the vulnerability properly (To be able to investigate properly, we will need to be able to efficiently reproduce your steps);

    • Provide us with information required to contact you (at least telephone number or email address).

     

    Our Commitment

    • We will acknowledge receipt of your vulnerability report;

    • We will assess the issue as soon as possible based on vulnerability assessment policy (within five business days for critical issues, within two weeks for High and Medium)

    • Following our assessment we will provide a detailed response, severity level of the report and an estimated time frame for addressing the vulnerability reported;

    • We will keep you regularly informed of our progress toward resolving the vulnerability without creating potential risk for other customers and users.

    • Following resolution or as necessary prior to resolution, we will update the Ex Libris community by publishing Security advisories;

     

    Any report submitted in relation to this Responsible Disclosure Policy will be handled with great care with regard to the privacy of the reporter. We will not share your personal information with third parties without your permission, unless we are legally required to do so.

     

    Record of Changes

    Type of Information Document Data

    Document Title:

    Ex Libris Responsible Disclosure Policy

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

    Approved by:

    Barak Rozenblat- VP Cloud Services

    Issued:

    Mar 6, 2020

    Reviewed & Revised:

    Mar 6, 2020

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Mar 6, 2020

     

    • Was this article helpful?