Digital Security Exchange Code of Practice
This Code of Practice defines the Digital Security Exchange (DSX) Information Handling Policy, Vulnerability Disclosure Policy, and Code of Conduct. It also outlines the stakeholder expectations and responsibilities established in the Partner Agreement. This document is a statement of intent for the design, development and implementation of DSX’s full scope of services. A limited scope of services is currently in operation, for which all principles here remain true.
Information Handling Policy
DSX will request only the information required to assess a partner’s problem and how to assist them. This may include description of problem, measures taken or relevant files. We will not be privy to incident details between the organization and digital security provider unless we are specifically given access to such details. (Such assistance may be provided where translation or other support is requested.) As a general rule, information requested by DSX and any disclosure of information to providers, is done on a need-to-know basis, while protecting stakeholders in an incident as much as possible without turning the incident information into void information, not useable for incident handling by the receiving party. Incident information (other than number and type of incidents) will be deleted from the platform once ticket is closed. It will stay in the backup system (for disaster/recovery purpose) and will be kept there for a week before being purged.
Private incident information will never be shared with donors or other stakeholders. Donors will only be privy to threat notifications and quantitative project monitoring data such as number of incidents dealt with. Non-sensitive information related to community threats will be extracted from incidents and shared as a community alert, in order to help prevent other partners avoid similar incidents. Sensitive incident information may be shared privately with specific partners if they are at risk from the incident. All sharing of information will be conducted in coordination and with the approval of the partners concerned. However, where a vulnerability may seriously affect the security of DSX partners, and the relevant partner is non responsive, we reserve the right to notify the affected stakeholders. (See Vulnerability Disclosure Policy below)
DSX and the providers we work with will handle all information responsibly and protect it against inadvertent disclosure to unauthorized parties.
The security of the methods of storing and transmitting information inside or outside the team, will be appropriate to its sensitivity. In general this means that sensitive information will be kept and sent only in encrypted formats or over secure channels – this explicitly includes back-ups of sensitive information.
DSX recognizes and supports the ISTLP (Information Sharing Traffic Light Protocol). Note that an “Information Exchange” can be either in person, online, or over the phone.
Non-disclosable Information and restricted to representatives participating in the Information Exchange themselves only. Representatives must not disseminate the information outside of the Exchange.
Limited Disclosure and restricted to members of the Information Exchange; those within their organizations and/or constituencies (whether direct employees, consultants, contractors or outsource-staff working in the organization) who have a NEED TO KNOW in order to take action.
Information can be shared with other organizations, Information Exchanges or individuals in the community at large, but not published or posted on the web.
Information that is for public, unrestricted dissemination, publication, web-posting or broadcast. Any member of the Information Exchange may publish the information, subject to copyright.
Vulnerability Disclosure Policy
Vulnerabilities reported to DSX which may seriously affect the security of our partners will be disclosed to stakeholders three weeks after the initial report. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. DSX will work with community members to establish a rating system for vulnerabilities to determine level of seriousness and use it to define what falls under the DSX remit. Until then, determinations will be made by the DSX team and public disclosures will not be made without consultation of its Advisory Committee. It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with organizations’ need for time to respond effectively.
DSX adheres to a do no harm approach.
The general disclosure schedule is as follows:
Step 1: Vulnerabilities reported to us will be forwarded to the affected organization as soon as practical after we receive the report. They will be asked to respond, and if possible, address the issue within a week. If the organization is responsive and is working to resolve the issue, DSX will either offer support or extra time as appropriate. This will depend on severity of the issue and potential harm.
Step 2: If there is no response after two weeks the issue may be raised with relevant members of the community or service providers if appropriate.
Step 3: If, a full three weeks after notification, no solution has been reached the issue will be disclosed to stakeholders. This may include the public or donors if deemed appropriate. In extenuating circumstances this disclosure may be reconsidered, especially when the organization is cooperative and working to fix the issue.
The final determination of a disclosure schedule will be based on the best interests of the DSX community overall.
Disclosures made by DSX will include credit to the reporter unless otherwise requested by the reporter. We will apprise any affected vendors of our publication plans and negotiate alternate publication schedules with the affected vendors when required. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter. We will advise the reporter of significant changes in the status of any vulnerability he or she reported to the extent possible without revealing information provided to us in confidence.
The Partner Agreement outlines the explicit expectations and responsibilities each organization and provider has by becoming a partner of DSX.
Code of Conduct
This code of conduct applies to all DSX spaces, either in online interactions or associated events or social gatherings. Partners, Service Providers and participants are responsible for knowing and abiding by the rules detailed below.
DSX is committed to providing a safe and welcoming environment for addressing and discussing issues related to the digital security of the communities in which we work.
In particular, we aim to banish any shame or stigma surrounding partners’ digital security mistakes or hacking, so we encourage all those involved to approach interactions with open and supportive attitudes, and to engage constructively with others at all times.
DSX is dedicated to providing a harassment-free experience for everyone, regardless of gender, gender identity and expression, age, sexual orientation, disability, physical appearance, body size, race, ethnicity, religion (or lack thereof), technology choices, skillset or level of knowledge. We do not tolerate harassment of community members in any form.
Anyone who violates this code of conduct may be sanctioned or expelled from these spaces at the discretion of the DSX team.
Harassment may occur online or in person. Examples of unacceptable behaviors include:
Offensive comments which reinforce social structures of domination and/or are related to gender, gender identity and expression, sexual orientation, disability, mental illness, neuro(a)typicality, physical appearance, body size, age, race, or religion.
Unwelcome comments regarding a person’s lifestyle choices and practices, including those related to food, health, parenting, drugs, and employment.
Deliberate misgendering or use of ‘dead’ or rejected names.
Gratuitous or off-topic sexual images or behaviour in spaces where they’re not appropriate.
Physical contact and simulated physical contact (eg, textual descriptions like “hug” or “backrub”) without consent or after a request to stop.
Threats of violence.
Incitement of violence towards any individual, including encouraging a person to commit suicide or to engage in self-harm.
Stalking or following.
Harassing photography or recording, including logging online activity for harassment purposes.
Sustained disruption of discussion, talks or other events.
Unwelcome sexual attention or physical contact.
Pattern of inappropriate social contact, such as requesting/assuming inappropriate levels of intimacy with others
Continued one-on-one communication after requests to cease.
Deliberate “outing” of any aspect of a person’s identity without their consent except as necessary to protect vulnerable people from intentional abuse.
Publication of non-harassing private communication.
Publishing another person’s’ private information, such as physical or electronic addresses, without explicit permission
Advocating for, or encouraging, any of the above behaviour
Drugging food or drink
Enlisting the help of others, whether in person or online, in order to target an attendee
We prioritise marginalised people’s safety over privileged people’s comfort. Our team will not act on complaints regarding:
‘Reverse’ -isms, including ‘reverse racism,’ ‘reverse sexism,’ and ‘cisphobia’
Reasonable communication of boundaries, such as “leave me alone,” “go away,” or “I’m not discussing this with you.”
Communicating in a ‘tone’ you don’t find congenial
Criticising racist, sexist, cissexist, or otherwise oppressive behavior or assumptions
Let someone leave a conversation that makes them uncomfortable, and do not follow people who asked to be left alone. If you discuss difficult topics that may be traumatic for participants, provide warnings so people may leave a conversation or plan coping strategies.
If you are being harassed, notice that someone else is being harassed, or have any other concerns, please notify firstname.lastname@example.org. Reports are confidential. You will not be asked to take actions that make you feel unsafe.
This code of conduct applies to DSX spaces, but if you are being harassed by a person involved in DSX outside our spaces, we still want to know about it. We will take all good-faith reports of harassment seriously. This includes harassment outside our spaces and harassment that took place at any point in time. The abuse team reserves the right to exclude people from DSX based on their past behavior, including behavior outside DSX spaces. We will respect confidentiality requests for the purpose of protecting victims of abuse. At our discretion, we may publicly name a person about whom we’ve received harassment complaints, or privately warn third parties about them, if we believe that doing so will increase the safety of partners or people involved with DSX. We will not name harassment victims without their affirmative consent.
Harassment and other code of conduct violations reduce the value of our community for everyone. We want you to be happy in our community as people like you make it a better place. If the person who is harassing you is part of the organizing staff, they will recuse themselves from handling your incident. We will respond as promptly as we can.
Participants asked to stop any harassing behavior are expected to comply immediately.
If a participant engages in harassing behavior, DSX may take any action they deem appropriate, up to and including expulsion from all DSX spaces and identification of the participant as a harasser to other DSX members or the general public.
This policy is licensed under the Creative Commons Zero license. It is public domain, no credit and no open licensing of your version is required.
This anti-harassment policy is based on the example policy from the Geek Feminism wiki, created by the Geek Feminism community, and also the Code Of Conduct Generator.