DefectDojo DefectDojo
Trust Center

Acceptable Use Policy

1. Purpose

The purpose of this document is to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the acceptable use of all systems, networks, IT assets, and licensed software, owned, operated, or used by DefectDojo.

2. Scope

This policy applies to all DefectDojo Staff and any external parties who have access to DefectDojo equipment, systems, or networks.

3. Compliance

3.1 Compliance Measurement

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

3.2 Exceptions

Any exception to the policy must be reviewed and approved in advance by the Management Review Team.

3.3 Non-Compliance

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

3.4 Continual Improvement

This document is updated and reviewed as part of the continual improvement and process.

4. Requirements

4.1 Use of Corporate Email

DefectDojo Staff must only use a DefectDojo-provided email to conduct any business operations and activities, including but not limited to any communication, automation, or registration activities.
DefectDojo Staff must only use their DefectDojo-provided email for DefectDojo-related business activities and not personal use.

4.2 Secure Authentication and Protection of Credentials

DefectDojo Staff must protect the authentication information used to access DefectDojo computer systems, IT assets, licensed software, and networks. At the minimum, DefectDojo Staff must:

  • Never share logins or passwords with others.
  • Never write down passwords or other authenticators and leave them around their workspace.
  • Never store passwords in documents or other clear-text objects online. Passwords may be safely stored in a Password Manager designed for that purpose but ensure to use a strong password (16 characters or longer) or Strong Authentication and Multi-Factor Authentication to access the Password Manager.

4.3 Maintenance of Device Security

DefectDojo Staff must keep systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo up to date and never attempt to circumvent any security control or setting, such as automatic system patching and maintenance, mobile device management software, malware protection software, logging and monitoring, and others.

4.4 Training

DefectDojo Staff must complete all mandatory training assigned to them upon hire and throughout their employment. DefectDojo Staff will acknowledge their understanding of the content of any such training assigned to them.

4.5 Notifying Security Operations in Cases of Suspected Security Incidents

DefectDojo Staff must immediately notify DefectDojo Security Operations team if they suspect or have identified that a security incident or a data breach has taken place. DefectDojo Staff will follow the guidelines provided accordingly in the Incident Response Policy.

4.6 Handling and Disposal of Data

DefectDojo Staff must handle data in accordance with its classification, as described in the Data Classification Policy.
DefectDojo Staff must retain data only if it is a business necessity. All data that is no longer needed must be securely disposed of, as described in the Data Retention Policy.
DefectDojo retains the right to delete or render inaccessible any data stored upon any DefectDojo owned or controlled system or device.

4.7 Examples of Unauthorized Use

Unauthorized use of DefectDojo systems, networks, IT assets, and licensed software is prohibited. DefectDojo will investigate incidents involving such violations and may involve and will cooperate with law enforcement if a criminal offense is suspected.
The following is an indicative and not exhaustive list, provided with examples of such unauthorized use:

4.7.1 Prohibition of Unlawful Activity

Anyone to whom this Policy applies must not undertake or accomplish any action that is illegal, unlawful, or otherwise constitutes a criminal, civil or administrative violation of any applicable local, state, provincial, federal, national, or international law, treaty, court order, ordinance, regulation, or administrative rule.

4.7.2 Conduct and Information Prohibitions

Anyone to whom this Policy applies must not:

  • Publish, post, send/receive, copy, store, retrieve, reproduce, distribute, transmit, disseminate, or in any manner use information or other material which is:
    • libelous, obscene, indecent, invasive of privacy, violent, threatening, abusive, lewd, harassing, defamatory, racist, discriminatory, or in any way creates a risk to a person’s safety or health, or public safety or health, compromises national security or interferes with an investigation by law enforcement;
    • infringes or misappropriates the intellectual property rights of DefectDojo;
    • in any way constitutes or encourages conduct that would constitute a criminal offense.
  • Upload, post, publish, transmit, reproduce, create derivative works of, or distribute in any way information, software, or other material obtained through the DefectDojo Products or otherwise, that is protected by any intellectual property right.
  • Send, transmit, distribute, or publish unsolicited bulk messages (commonly known as “spam”), including commercial advertising and informational announcements.
  • Send very large numbers of copies of the same or substantially similar messages, empty messages, or messages which contain no substantive content, or send excessively large messages, attachments, or files to one or more recipients, in a manner that disrupts a server, account, newsgroup, or chat service (commonly known as “post-bombing”).
  • Collect responses from unsolicited, bulk messages, e-post addresses, screen names, or other identifiers of other individuals (commonly known as “spidering” or “harvesting”).
  • Impersonate, in any manner, any person or entity for purposes of deception (commonly known as “phishing”), engage in sender address falsification, forge anyone else’s digital or manual signature, inject false data into the Internet via DefectDojo Networks in the form of insufficient routing information or incorrect Domain Name Server (DNS) information, or otherwise attempt to fraudulently conceal, forge, or falsify another’s identity or perform any other similar fraudulent activity.

4.7.3 Technical Prohibitions

Anyone to whom this Policy applies must not:

  • Access to or interfere with or attempt to gain access to or interfere with any other person’s computer or data without their prior authorization.
  • Engage in any activities that may interfere with the ability of others to access or use DefectDojo Systems or Networks.
  • Attempt to circumvent any authentication of or access to any System, Network, or Account.
  • Gain unauthorized access to, interfere with, circumvent, compromise, or otherwise breach or to attempt to breach the normal functioning, operation, or security of DefectDojo servers, networks, network access, computers, computer systems or control devices, hosts, software, IP Service provider, accounts or data, or any other system. Examples of system or network security violations include but are not limited to:
    • Hacking, attacking, gaining access to, breaching, circumventing, or testing the vulnerability of the user authentication or security of any host, network, server, personal computer, network access and control devices, software, or data without express authorization of the owner of the system or network;
    • Introducing knowingly or unknowingly, any Malicious Software into the Service that may damage the operation of another’s computer, network system, or other property;
    • Attempt to monitor, probe, or scan any system or network aimed at the unauthorized interception of traffic or data, or test the vulnerability of a system or network without the express prior authorization of the owner of the system or network or breach the security or authentication measures;
    • Interfere with service to any user, host, or network, use any program, file, script, command, or transmission of any message or content of any kind, designed to interfere with a terminal session, the access to or use of the Internet or any other means of communication;
  • Interfere with computer networking or telecommunications service to any user, host or network, including, without limitation, denial of service attacks, flooding of a network, overloading a service, improper seizing and abusing operator privileges, and attempts to “crash” a host.
  • Restrict, inhibit, interfere with, or otherwise disrupt or cause a performance degradation to the Products and Services or any DefectDojo host, server, backbone network, node, or service, or otherwise cause a performance degradation to any DefectDojo facilities used to deliver the Products and Services or to avoid any use limitations.
  • Misuse of computer resources for crypto mining or the production of any other alternate currency.
  • Failure to take reasonable security precautions to help prevent violation(s) of this Policy.

5. Relevant Documents

  • Incident Management Policy
  • Data Classification Policy
  • Data Retention Policy
Prev
Human Rights Policy
Next
Access Control Policy