CDR will request only the information required to assess a member’s problem and how to assist them. This may include description of the problem, measures taken or relevant files. Unless assistance is requested, we will not be privy to incident details between the member and Service Provider. Such assistance may be provided where translation or other support is requested.
CDR adheres to a do no harm approach. It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with organisations’ need for time to respond effectively.
Vulnerabilities reported to us will be forwarded to the affected organisation as soon as practical after we receive the report. They will be asked to respond, and if possible, address the issue within one week. If the organisation is responsive and is working to resolve the issue, CDR will either offer support or extra time as appropriate. This will depend on the severity of the issue and potential harm.
If there is no response after two weeks the issue may be raised with relevant members of the community or service providers if appropriate.
If, a full three weeks after notification, no solution has been reached, the issue will be disclosed to stakeholders. This may include the public or donors if deemed appropriate. In extenuating circumstances this disclosure may be reconsidered, especially when the organisation is cooperative and working to fix the issue.
Note that the final determination of a disclosure schedule will be based on the best interests of the CDR community overall.
The CDR Member Agreement outlines the explicit expectations and responsibilities that each civil society organisation (CSO) assumes by becoming a CDR member.
The CDR Partner Agreement outlines the explicit expectations and responsibilities that each civil society organisation (CSO) and individual assumes by becoming a CDR service provider partner.