Responsible Disclosure Policy

Hindawi welcomes feedback from the community on its products, platform and website. Our Responsible Disclosure policy allows for security testing to be done by anyone in the community within the prescribed reasonable standards and the safe communication of those results. If you identify any vulnerabilities in Hindawi’s products, platform or website, please report the matter to Hindawi at security@hindawi.com using this PGP key (Hash: 5B380BF70348EFC7ADCA2143712C7E19C1658D1C)

For the development of Phenom and our new website, we have relied on community-driven solutions and collaborative work. Our platforms are built on open source software and benefit from feedback from the communities we serve. 

We welcome your support to help us address any security issues, both to improve our products and protect our users. 

We agree not to pursue legal action against individuals or companies who submit vulnerability reports through our requested channel and who comply with the requirements of this policy unless we are compelled to do so by a regulatory authority, other third party, or applicable laws.

The following are excluded from the Responsible Disclosure Policy (note that this list is not exhaustive):

  • Taking any action that will negatively affect Hindawi, its subsidiaries or agents.
  • Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
  • Disclosing any personally identifiable information discovered to any third party.
  • Destruction or corruption of data, information or infrastructure, including any attempt to do so.
  • Discovery dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for Hindawi).
  • Any exploitation actions, including accessing or attempting to access Hindawi’s data or information, beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
  • Attacks on third-party services.
  • Denial of Service attacks or Distributed Denial of Services attacks.
  • Any attempt to gain physical access to Hindawi property or data centers.
  • Use of assets that you do not own or are not authorised or licensed to use when discovering a vulnerability.
  • Violation of any laws or agreements in the course of discovering or reporting any vulnerability.

Out of scope vulnerabilities

  • Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
  • Third-party applications, websites or services that integrate with or link Hindawi.
  • Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.

Preference, prioritization, and acceptance criteria

We will use the following criteria to prioritize and triage submissions.

What we would like to see from you:

  • Well-written reports in English will have a higher chance of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from us:

  • A timely response to your email.
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialogue to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.

Hindawi reserves all of its rights, especially regarding vulnerability discoveries that are not in compliance with this Responsible Disclosure policy.  This Responsible Disclosure policy is dated 1 October 2020 and will be periodically reviewed and updated; please bookmark this page and check it for the latest version of the policy before taking any action.

We are committed to sharing findings related to COVID-19 as quickly as possible. We will be providing unlimited waivers of publication charges for accepted research articles as well as case reports and case series related to COVID-19. Review articles are excluded from this waiver policy. Sign up here as a reviewer to help fast-track new submissions.