{"id":15848,"date":"2025-06-06T11:06:16","date_gmt":"2025-06-06T10:06:16","guid":{"rendered":"https:\/\/dide.org\/coordinated-vulnerability-disclosure-policy\/"},"modified":"2026-01-05T15:23:25","modified_gmt":"2026-01-05T14:23:25","slug":"coordinated-vulnerability-disclosure-policy","status":"publish","type":"page","link":"https:\/\/www.dide.org\/en\/coordinated-vulnerability-disclosure-policy\/","title":{"rendered":"Coordinated Vulnerability Disclosure Policy"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Coordinated Vulnerability Disclosure (CVD) Policy DIDE.ORG EDUCATIONAL TECHNOLOGY S.L.<\/b><\/h1>

Introduction<\/b><\/p>

At DIDE.ORG EDUCATIONAL TECHNOLOGY S.L. (hereinafter, “DIDE”), we recognize the critical importance of cybersecurity in maintaining the trust and security of our users, customers, and stakeholders. In fulfilling our commitment to security, we have established a Coordinated Vulnerability Disclosure (CVD) Policy. This policy is designed to facilitate the responsible identification, notification, and resolution of vulnerabilities in our systems, products, and services. <\/p>

Our policy encourages collaboration with the security research community and defines clear procedures for communicating and addressing vulnerabilities. By working together with researchers and stakeholders, we seek to minimize potential risks, ensuring that vulnerabilities are managed in an agile and transparent manner. This approach not only strengthens our security posture but also reinforces our commitment to a secure environment for all users of our products and services. <\/p>

Scope<\/b><\/p>

This CVD policy applies to all digital assets managed by DIDE, including software, hardware, and cloud services. It covers vulnerabilities that may affect the security, confidentiality, integrity, or availability of these assets. <\/p>

The policy applies to all products and services offered on our main website, as well as related systems that interact with our infrastructure. Third-party products or services that are not under the direct control of DIDE are excluded from this policy. Vulnerabilities detected in such systems should be reported to their respective manufacturers. Similarly, issues in obsolete or unsupported versions of our products are out of scope, unless they represent a significant risk to the ecosystem. <\/p>

Designation and express submission of CNA<\/b><\/p>

DIDE formally designates Edgewatch<\/b> as its CNA (CVE Numbering Authority), being the sole and exclusive party responsible for coordinating, assigning, and publishing CVE identifiers<\/b> in relation to vulnerabilities affecting the products, systems, and services managed by DIDE.ORG EDUCATIONAL TECHNOLOGY S.L.<\/p>

Edgewatch will be responsible for verifying, classifying, and documenting each reported vulnerability that meets the criteria of the CVE system, in accordance with the rules established by MITRE and following the secure coordination guidelines defined in the National Cyber Incident Notification and Management Guide of the CCN-CERT<\/b>.<\/p>

DIDE is committed to actively collaborating with Edgewatch throughout the lifecycle of vulnerability management, providing the necessary technical information and acting on mitigation and response recommendations. The designation of Edgewatch as CNA will be public and effective from the entry into force of this policy. <\/p>

Notification Guidelines<\/b><\/p>

DIDE facilitates a simple and secure vulnerability notification process. The preferred method for reporting vulnerabilities is through the secure form available at https:\/\/disclosurealert.com\/report<\/a>. This form guides the user step by step, ensuring the efficient collection of the necessary information. <\/p>

Reports are also accepted by email to the Edgewatch notification mailbox: security@edgewatch.com<\/a>. We recommend encrypting messages using PGP. All notifications must include a detailed description of the vulnerability, the affected products or services, the steps to reproduce it, and, if possible, test code or screenshots. <\/p>

Please refrain from making the vulnerability public until DIDE has had the opportunity to evaluate and remedy it. This approach allows us to protect users while collaborating with the reporting party. <\/p>

Admissibility and Scope of Reports<\/b><\/p>

DIDE values and encourages the responsible reporting of vulnerabilities that may significantly impact the security of our products and services.<\/p>

However, certain types of vulnerabilities are out of scope due to their reduced impact. Examples: brute-force email enumeration, minor session management failures, and non-exploitable information leaks. For a complete list, see https:\/\/disclosurealert.com\/kb\/typically-out-of-scope-low-impact-vulnerabilities<\/a>. <\/p>

Also not included are failures in third-party services or products, or problems in old or unsupported versions of our software.<\/p>

Rules of Engagement<\/b><\/p>