RUSH COMPUTER RENTALS SECURITY INCIDENT DISCLOSURE POLICY

1. Overview

Electro Rent Corporation, and all its subsidiaries, (“RUSH”) takes its commitment to IT Security and the protection of user and commercially sensitive information and personal data seriously.
While Electro Rent utilises a Secure Software Development Lifecycle process for all its systems and services, some vulnerabilities may escape detection or new exploits are released after development.

This Security Incident Disclosure Policy (the “Policy”) outlines the processes and responsibilities of good-faith security researchers to disclose security incidents or vulnerabilities. This Policy applies to all of Electro Rent’s networks, websites, and systems on a global basis in whichever country they are located or accessed.

We at Electro Rent appreciate and encourage security researchers to contact us to report potential incident or vulnerabilities identified in any product, system, or asset that are in-scope as outlined in this Policy.

2. Policy

2.1 Reward

Electro Rent does not offer a “bug bounty” program; thus, we extend no offer of compensation or reward in consideration for any disclosure of a security incident or security vulnerability under this Policy. Nothing herein shall create any expectation of consideration in exchange for disclosure of an incident or vulnerability.

2.2 Guidance – Good Faith

To promote the discovery and reporting of security vulnerabilities or incidents, we kindly request that you:

  • Be respectful of our existing applications by avoiding
    • Acts of privacy violation
    • Destruction of data
    • Interruption or degradation of service
    • Accessing or modifying data belonging to our organization, users, or customers
  • Contact us immediately if personal information (e.g., names, addresses, email addresses, unique identifiers, credit card numbers) is encountered. Do not view, alter, destroy, save, share, store, transfer, or otherwise access or compromise the data, and please purge any local information upon reporting the vulnerability.
  • Report configuration “best practice” misalignments with supporting evidence of risk or pertinent information to gauge the importance of such an item. For example, TLS Cipher Suites.
  • Not access a disproportionally large amount of data. For example, an enumeration style attack only need 2 – 3 records to prove that it exists.
  • Not disclose any vulnerabilities or associated details via methods not described in this Policy or with anyone else other than a member of the Electro Rent IT Security Team. This includes but is not limited to:
    • The general public
    • 3rd parties either directly or indirectly connected to Electro Rent unless directed to do so by a member of the Electro Rent IT Security Team
    • Our customers
    • Our supplier
    • Other members of staff at Electro Rent unless directed to do so by the IT Security Team
    • The news media
    • Social media
    • Any government regulator

However, we also understand that you may wish to report your findings on your own website, a blog, or a forum. We also understand that this kind of publication helps promote security awareness overall but also can help your personal effort. Therefore we are willing to allow this limited type of publication but only after you have shared the exact wording of the proposed publication and we have had a chance to review and approve it. We wish, among other reasons, to ensure any identified data or vulnerability has been addressed before publication. As such any publication without our written approval will be considered a violation of this policy.

2.3 Scope

This disclosure policy applies to all vulnerabilities or incidents in Electro Rent Products, networks, systems, and services.

2.4 Reporting a Vulnerability

If through an act of “good-faith”, as described in 2.2, you believe you have identified a vulnerability or incident please email security@electrorent.com. In your report please include:

  • Date of discovery
  • The specific resource in question, e.g. the URL or IP Address etc
  • A brief summary of the type of vulnerability, e,g XSS or Configuration Mis-alignment

If the vulnerability is actively exploitable, we ask that you prepare, but do not provide on the initial contact, a benign proof of concept. A secure communication channel will be established for the sharing of such Proof of Concepts.

Do not attempt to actively exploit any vulnerability you find, please just report it.

Electro Rent welcomes recommendations for remediation along with your submission, however, we reserve the right to implement, or not, any remediations in any way deemed suitable and without any compensation or consideration to you. By reporting any vulnerability or providing any recommendation you are thereby granting a worldwide, enterprise-wide, royalty-free, non-exclusive, irrevocable use license for such work to Electro Rent, including the right to use, modify, reserve engineer, or otherwise exploit. Electro Rent may, at its discretion, provide details of the remediation work to facilitate post-remedial testing by the reporting individual.

Reporting of the vulnerability to 3rd parties, agencies, regulators, vendors, customers will be at the discretion of Electro Rent, and you agree not to disclose or report any security incident or vulnerability on behalf of Electro Rent. By submitting a Security Incident to Electro Rent, you agree to the terms and conditions of this Policy and agree to indemnify Electro Rent for any and all damages, liabilities, costs, and expenses (including attorneys’ fees) arising out of your breach of this Policy.

2.5 Timeframes

Electro Rent will not negotiate with reporters about Electro Rent’s actions or to prevent a reporter from taking a specific action (reports made as threats such as a threat of withholding, or threat of releasing the vulnerability to the public). This specifically includes any form of compensation for a reporter.

We aim to respond to your initial report within 3 (three) working days. We will set further timeframes for communication after initial contact as applicable to the severity of the vulnerability.
You must be provided with written confirmation by Electro Rent’s General Counsel prior to the public release of the vulnerability or incident.

2.6 Legalities

This policy is designed to be compatible with common sense among well-intentioned security researchers. It does not give you permission to act in any manner that might cause Electro Rent any form of harm or to be in breach of any of its legal obligations under applicable law, or in a way that your actions would be in violation with any applicable law, including but not limited to:

  • Computer Misuse Act (1990)
  • General Data Protection Regulation 2016/679 (GDPR)
  • California Consumer Protection Act (CCPA)
  • Data Protection Act (2018)
  • Computer Fraud and Abuse Act (CFAA)
  • Defend Trade Secrets Act of 2016 (DTSA)
  • Stored Communications Act (SCA)
  • Electronic Communications Privacy Act (ECPA)
  • Counterfeiting and Forgery Act 1981
  • Registered Designs Act 1949
  • Fraud Act 2006
  • Copyright Designs and Patents Act 1988
  • Trade Marks Act 1994

Electro Rent reserves the sole right to seek or not seek the prosecution of any security researcher who reports, in good faith, and in full accordance with this Policy, of any security vulnerabilities or incident.

Security Contributors

Electro Rent would like to thank the following researchers for their contributions to helping us improve our information security posture. Each of these folks has reported a vulnerability to us in the past.