Code of Practice

Information Handling Policy

CDR will request only the information required to assess a member’s problem and how to assist them. This may include description of the problem, measures taken or relevant files. Unless assistance is requested, we will not be privy to incident details between the member and Service Provider. Such assistance may be provided where translation or other support is requested.

CDR and the Service Providers we work with will handle all information responsibly and protect it against inadvertent disclosure to unauthorised parties. The security of the methods of storing and transmitting information, inside or outside the team, will be appropriate to its sensitivity. In general, this means that sensitive information will be kept and sent only in encrypted formats or over secure channels – this includes back-ups of sensitive information. As a general rule, information requested by CDR and any disclosure of information to Service Providers, is done on a need-to-know basis, while protecting stakeholders in an incident as much as possible without turning the incident information into void information, not usable for incident handling by the receiving party.
Incident information will be securely stored in the platform once the ticket is closed. Private incident information will never be shared with donors or other stakeholders. Donors will only be privy to threat notifications and quantitative project monitoring data such as number of incidents dealt with. Non-sensitive information related to community threats will be extracted from incidents and shared as a community alert in order to help prevent other members from experiencing similar incidents. Sensitive incident information may be shared privately with specific members if they are at risk from the incident. All sharing of information will be conducted in coordination with the members concerned. However, where a vulnerability may seriously affect the security of CDR members, and the relevant member is non-responsive, we reserve the right to notify the affected stakeholders. (See Vulnerability Disclosure Policy below).

Vulnerability Disclosure Policy

CDR adheres to a do no harm approach. It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with organisations’ need for time to respond effectively.

Vulnerabilities reported to CDR which may seriously affect the security of our members will be disclosed to stakeholders three weeks after the initial report.
Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure.
CDR will work with community members to establish a rating system for vulnerabilities to determine level of seriousness and use it to define what falls under the CDR remit. Until then, determinations will be made by CDR and public disclosures will not be made without consultation of the Executive Director.

The general disclosure schedule is as follows:

Step One

Vulnerabilities reported to us will be forwarded to the affected organisation as soon as practical after we receive the report. They will be asked to respond, and if possible, address the issue within one week. If the organisation is responsive and is working to resolve the issue, CDR will either offer support or extra time as appropriate. This will depend on the severity of the issue and potential harm.

Step Two

If there is no response after two weeks the issue may be raised with relevant members of the community or service providers if appropriate.

Step Three

If, a full three weeks after notification, no solution has been reached, the issue will be disclosed to stakeholders. This may include the public or donors if deemed appropriate. In extenuating circumstances this disclosure may be reconsidered, especially when the organisation is cooperative and working to fix the issue.

Note that the final determination of a disclosure schedule will be based on the best interests of the CDR community overall.

Disclosures made by CDR will include credit to the reporter unless otherwise requested by the reporter. We will apprise any affected vendors of our publication plans and negotiate alternate publication schedules with the affected vendors when required.
The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter. We will advise the reporter of significant changes in the status of any vulnerability they reported to the extent possible without revealing information provided to us in confidence.

Member Agreement

The CDR Member Agreement outlines the explicit expectations and responsibilities that each civil society organisation (CSO) assumes by becoming a CDR member.

Partner Agreement

The CDR Partner Agreement outlines the explicit expectations and responsibilities that each civil society organisation (CSO) and individual assumes by becoming a CDR service provider partner.

Code of Conduct

Norms, Rules, and Proper Practices