Vulnerability Disclosure Policy

January 23, 2024

Summary

This policy governs all aspects of information systems vulnerability reports and interacting with researchers, members, and employees reporting vulnerabilities. This purpose of this policy is to improve network defenses and broaden the security protections for the “attack surfaces” of The Church of Jesus Christ of Latter-Day Saints and its affiliates (the "Church") as well as offer an easy method for researchers, members, and employees to report vulnerabilities.

Policy

This policy governs the portal for security researchers, members, and employees interested in reporting security vulnerabilities affecting the Church. All submitters must agree and adhere to the program rules and legal terms ("Terms") stated in this policy. These Terms will be posted on the portal and submitters will agree to the Terms using the language at the end of the Terms.

Our Commitment:

  • The Church will work with you to understand and validate the vulnerability.
  • If deemed appropriate by the Church, address the vulnerability.
  • If your submission is deemed inappropriate, no response or follow up will be provided.

Your commitment and guidelines:

  • Collaborate with the Church to address vulnerabilities identified in your submissions.
  • Provide a detailed description of each step to reproduce the vulnerability.
  • Do not engage in disruptive testing like Denial of Service (“DoS”) or any action that could impact the confidentiality, integrity or availability of user data and information systems.
  • Do not engage in social engineering (e.g., phishing, vishing, smishing, etc.) of members or employees.
  • You will not receive any compensation for your time or materials.
  • Do not perform exfiltration of any kind to other mediums.
  • Do not engage in any activity that may result in harm to the Church, its members, or its employees.
  • Do not store, share, compromise or destroy the Church’s data.
  • If Personally Identifiable Information (“PII”) is encountered, you must immediately halt your activity, purge related data from your system, and immediately contact the Church.
  • Abide by the Terms of Use for Church websites, including the Code of Conduct.

Reporting a vulnerability:

The Church accepts vulnerability reports through this online form. You may submit this anonymously, but for best results, please provide contact information in case the Church needs to follow up with questions or comments.

Typical Vulnerabilities Accepted:

  • OWASP Top 10 vulnerability categories
  • Other vulnerabilities with demonstrated impact

Typical Vulnerabilities Out of Scope:

  • Theoretical vulnerabilities
  • Informational disclosure of non-sensitive data
  • Low impact session management issues
  • Self XSS (user defined payload)

Limitation of Liability

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, THE CHURCH, ITS AFFILIATES, AND PERSONNEL ARE NOT LIABLE FOR ANY DIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES, OR ANY OTHER DAMAGES OF ANY KIND, RESULTING FROM OR ARISING OUT OF YOUR USE OF CHURCH INFORMATION SYSTEMS OR PARTICIPATION IN VULNERABILITY TESTING OR SUBMISSIONS, INCLUDING, BUT NOT LIMITED TO, LOST WAGES, PROPERTY DAMAGE, LOST PROFITS, BUSINESS INTERRUPTION, AND LOSS OF PROGRAMS OR OTHER DATA ON YOUR INFORMATION HANDLING SYSTEM. TO THE FULLEST EXTENT ALLOWED BY LAW, IN NO EVENT WILL THE CHURCH’S TOTAL LIABILITY TO YOU FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION EXCEED THE AMOUNT PAID BY YOU, IF ANY, FOR ACCESSING CHURCH INFORMATION SYSTEMS OR PARTICIPATION IN VULNERABILITY TESTING OR SUBMISSIONS. THE FOREGOING DOES NOT AFFECT ANY LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

Agreement

By submitting this form, you agree to adhere to the above commitments, rules, and terms. This agreement is governed by the law of the State of Utah, U.S.A., without giving any effect to any conflict-of-laws principles. You agree that any action you bring to enforce this Agreement, or any matters related to this site, must be brought in either the state or federal courts located in Salt Lake County, Utah, which will have exclusive jurisdiction over any such action. You hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. If any provision of this agreement is unlawful, void, or unenforceable in whole or in part, the remaining provisions will not be affected.