Responsible Disclosure Policy
As a news media organization, Manila Bulletin Publishing Corporation takes the security of its systems and the privacy of its users very seriously. We recognize the importance of vulnerability disclosure and encourage anyone who discovers a vulnerability in our systems to report it to us in a responsible manner.
We recommend reading this disclosure policy fully before you report any vulnerabilities. This helps ensure that you understand the policy, and act in compliance with it.
Our vulnerability disclosure policy includes the following guidelines:
Reporting vulnerabilities: Anyone who discovers a vulnerability on our website is encouraged to report it to us as soon as possible. Reports should be sent to security@mb.com.ph
Responsible disclosure: We ask that anyone who discovers a vulnerability to act responsibly and not disclose or exploit the vulnerability before it has been resolved.
In Scope: Our vulnerability disclosure policy only covers mb.com.ph and www.mb.com.ph. Testing other domains aside from the mentioned above is strictly prohibited.
Out of Scope Issues:
- Missing X-Frame or related security headers
- HttpOnly and Secure cookie flags
- Account enumeration (i.e forgot password error messages)
- Self XSS
- Tabnapping
- Missing Best Practices
- Distributed / Denial of Services Issues
- Lack of Rate Limiting
- Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue.
- Social Engineering attacks against our employees, contractors and customers.
- Physical Vulnerabilities
- Functional, UI, and UX bugs such as spelling mistakes
- Descriptive error messages
- HTTP error codes/pages
- Exposure of Google Maps API Keys
- Missing/misconfigured SPF/DMARC DNS-records
- Exposed Credential on JSON Config in mb.com.ph
Response time: We will respond to vulnerability reports within a reasonable time and keep the reporter informed of our progress in resolving the issue.
Communication: We will communicate openly and transparently with the reporter about the vulnerability, including acknowledging receipt of the report, confirming the existence of the vulnerability, and providing updates on our progress in resolving it.
Recognition: We may recognize and acknowledge the reporter's contribution to our security and privacy by mentioning them in our Hall of Fame page.
What we would like to see from you:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Reports written in English if possible.
- You do not violate any other applicable laws or regulations.
- You make a good faith effort to avoid any legal and privacy violations.
We take the security and privacy of our systems and users seriously, and we appreciate any help we receive from the security community in identifying and resolving vulnerabilities.
By submitting a report, you agree to be bound by these rules.
The Company reserves the right to modify this Responsible Disclosure Policy at any time, so please review it frequently.