Good CISO

Security Policy

Our Commitment to Security

At Good CISO, we take security seriously. As a cybersecurity service provider, we understand the importance of maintaining the highest standards of security in our operations. This security policy outlines our approach to security, vulnerability disclosure, and how to report potential security issues.

Vulnerability Disclosure Policy

We appreciate the work of security researchers and the wider community in helping to identify and responsibly disclose potential vulnerabilities. We are committed to working with the security community to verify, reproduce, and respond to legitimate reports of security vulnerabilities.

How to Report a Vulnerability

If you believe you have discovered a security vulnerability in our systems, please report it to us by email at alvin@goodciso.org.

To help us process your report effectively, please include:

  • A detailed description of the vulnerability
  • The location (URL) where the vulnerability was discovered
  • Steps to reproduce the issue
  • Any potential impact of the vulnerability
  • Any suggested mitigation or remediation actions

Our Commitment to Researchers

When you submit a vulnerability report, we commit to:

  • Acknowledge receipt of your report within 24 hours
  • Provide a timeline for resolution within 72 hours
  • Keep you informed about our progress towards resolving the issue
  • Recognize your contribution if you would like (with your permission)
  • Not take legal action against you if you have acted in good faith

Scope of Testing

The following actions are prohibited when testing our systems:

  • Denial of Service (DoS) attacks
  • Social engineering attacks
  • Physical attempts to access our facilities
  • Testing of third-party applications, websites, or services
  • Actions that could impact the availability or integrity of our services

Security Measures We Implement

At Good CISO, we implement a range of security measures to protect our systems and data:

  • Regular security assessments and penetration testing
  • Secure coding practices and code reviews
  • Strict Content Security Policy (CSP) implementation
  • CSRF protection on all forms
  • Input validation and sanitization
  • Rate limiting to prevent abuse
  • Regular security updates and patch management
  • Staff security awareness training

Contact Information

For security-related matters, please contact:

Email: alvin@goodciso.org

We aim to respond to all security-related inquiries within 24 hours.