The SCA does not have an established procedure for reporting or addressing technology security vulnerabilities.
In correspondence with the Society IT Manager, they suggested sending vulnerability notifications by email, either to them, or to the relevant kingdom officers, or both.
From: Mathghamhain Ua Ruadháin
To: Society IT Manager
Cc: Society Webminister
Hello,
A couple of months ago, when I discovered the problem with the SCA-Comments mailing list, I reported it via email to a bunch of people as well as in the webministry Slack, mostly because I didn’t know what the proper channels were, and it seemed urgent to get it addressed ASAP.
I’ve recently been alerted to another potential issue that might affect the online security of members’ personal information, although thankfully it’s less dramatic than the last incident, and I still need to do some additional research to confirm that it’s a real issue and hasn’t already been fixed.
In the meantime I figured it was worth confirming what I should do if that report checks out
Are there officially-designated channels for sending in security reports? Does it matter if it’s at the kingdom level rather than a Society-wide issue? And is there some kind of standard procedure that governs how folks are supposed to respond when that kind of thing gets reported?
Thank you!
— Mathghamhain Ua Ruadháin
From: Society IT Manager
To: Mathghamhain Ua Ruadháin
Cc: Society Webminister
Hey,
There is no standard procedure on it. For society, please email either me or ‘helpdesk@sca.org’. For Kingdom based issues you can feel free to report them to me and I’ll reach out to the Kingdoms, or you can report them to the Kingdom directly. I can’t give you specifics as to who to reach out to in the Kingdom, as each Kingdom is different. I would appreciate at least a CC on any similar issue so that I can ensure they are corrected in a timely manner. Certainly, if you get no response from the Kingdom, please reach out to me.
I would prefer you report suspected issues as soon as you notice them. That way we can get more eyes on the problem as soon as possible.
From: Mathghamhain Ua Ruadháin
To: Society IT Manager
Cc: Society Webminister
That makes sense.
I’ll put a message together now and send it over in a few minutes.
— Mathghamhain