Jumbotron Vector

Protection of Copyright and Responsible Disclosure

Open Fiber S.p.A. reserves the right to update the following information at any time. Any changes will be published on this page, so we encourage users to consult it regularly.

Any reports of criminal conduct within the meaning of Law No. 633 of 22 April 1941 (“Protection of Copyright and other rights related to its exercise”) should be sent to the email address internetabuse@openfiber.it

Introduction & Scope

Open Fiber S.p.A. places the highest importance on the security of its systems, applications, infrastructures and its customers’ data. For this reason, it has established a dedicated and secure channel for reporting vulnerabilities or other critical issues, ensuring their timely management.


Responsible Disclosure Principles

When reporting a vulnerability, it is essential to adhere to the following key principles:

  • The report must be made in a non-anonymous form, using only the information provided at the following link.
  • Disclosure of vulnerabilities to third parties or to the public is not authorized.

 Furthermore, the following actions are prohibited:

  • Performing activities that may compromise the security, privacy, or availability of Open Fiber S.p.A.’s systems, its customers, or its suppliers and collaborators.
  • Accessing, modifying, or deleting data, even if accidentally exposed.


What to include in the report

To help us understand and resolve the vulnerability, the report should include:

  • A detailed description of the vulnerability and its potential impact (exploit code, CVSS reference, etc.)
  • Technical details, steps and tools used to reproduce the vulnerability (for example: URL, screenshot, attacker code, executed queries)


How we handle reports

Once we receive the report:

  • Confirmation of receipt will be provided, along with any updates, where possible;
  • Open Fiber S.p.A. will keep the information confidential until the vulnerability is resolved;

OpenFiber S.p.A. does not offer rewards (monetary or otherwise) for vulnerability reports.


Exclusions 

The following are out of scope:

  • “Social engineering” attacks targeting employees or collaborators.
  • Results from automated vulnerability assessment/penetration testing/Information Gathering tools.
  • Results from Denial of Service (DoS, DDoS) attacks, for which Open Fiber S.p.A. reserves the right to take appropriate actions.
  • Bugs related to the User Interface or User Experience that do not constitute a security vulnerability (e.g., typos, page formatting errors).
  • Findings related to domains not directly managed by Open Fiber S.p.A. or not within the specified perimeter.
  • Any reports unrelated to security.

It is necessary to refrain from any activity that may result in a violation, loss, and/or destruction of data related to the systems and services involved in the report, degradation, or interruption of services. In this regard, the following actions are not authorized:

  • Accessing, modifying, downloading data.
  • Performing actions similar to Denial of Service attacks that could
  • damage the operation of any Open Fiber S.p.A. asset or resource.
    Uploading, linking, executing, or sending malicious code using Open Fiber S.p.A.’s systems.
  • Conducting tests that send unsolicited messages, spam, or other unauthorized messages.


How we handle data.

Please refer to our Privacy Policy.


Compliance with the Law.

By submitting a report in accordance with this policy, you confirm that you are acting in good faith and in compliance with all applicable laws and regulations. Illegal activities will not be tolerated. Open Fiber S.p.A. reserves the right to take legal action in case of irregular or illegal activities.