Skip to content Skip to footer
Malta School Games
Malta School Games
Close

Vulnerability Disclosure

Home  –  Privacy Policy 

Who we are

Suggested text: Our website address is: https://maltaschoolgames.gov.mt/

Comments

Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where your data is sent

Suggested text: Visitor comments may be checked through an automated spam detection service.

Vulnerability Disclosure Policy

Reference: GMICT P 0122
Version: 1.1
Publication: 17 March 2025
Effective: 17 March 2025

1. Purpose

This policy aims to provide clear direction and endorsement on vulnerability disclosure and associated activities, including research and testing, conducted in good faith by researcher(s) on systems owned by the Agent and the Government. The Agent is committed to safeguarding Government data and services from escalating cyber threats through the implementation of cutting-edge security infrastructure. To ensure comprehensive security oversight, it actively monitors and coordinates security matters within Government infrastructure through govmtCSIRT – the Government CSIRT. This coordinating role shall also pertain to vulnerability disclosures through this Policy. Ultimately, through this Policy, the Government reaffirms its belief in continuous security improvements, based on the premise that systems can never be completely foolproof. Furthermore, the Government recognizes the potential contribution of the cyber-research community and individual researcher(s) to its public-facing systems, as reflected within the Scope of this Policy.

2. Scope

This Policy applies to researcher(s) engaging in good-faith vulnerability research activities on public-facing systems owned by the Agent or Government and which have a security.txt file located at maltaschoolgames/.well-known/security.txt.
Note: Any system not as specified above is excluded from the Scope and is therefore not authorized for vulnerability research activities. Activities not conformant to the provisions of this Policy are excluded and therefore not endorsed.

3. Definitions

Underlined terms are defined in the Vocabulary (GMICT X 0003).

4. Research and Testing

Rationale
The following are the Policy provisions expected of the researcher(s) during the conduct of research and testing activities.
  1. Every effort shall be made to refrain from engaging in:
    • Violating privacy rights.
    • Degrading user experience.
    • Disrupting systems.
    • Destroying or manipulating data.
    • Activities that contravene established law or that may lead to the Agent, Government, or their partner organisations to be in breach of any legal obligations.
  2. The scoping of testing activities shall be proportionate to confirming the presence of a vulnerability. The use of exploits is prohibited for the following:
    • Illegally extracting or exfiltrating data.
    • Opening, copying, or deleting files.
    • Utilising and exploiting command line access.
    • Pivoting to other systems.
  3. Social engineering and/or Denial of Service (DoS or DDoS) attacks are not permitted.
  4. No attempt shall be made to escalate privileges or move laterally within the system.
  5. Services provided by the Agent and Government third-party suppliers shall not be tested.
  6. Malware or any form of malicious code shall not be used.
  7. The General Data Protection Regulation, (EU) 2016/679, and the Data Protection Act (CAP 586) shall be adhered to. The infringement upon the privacy of individuals, organisations, systems or services associated with the Public Administration, including the Agent, shall be avoided. The sharing, redistributing or the inadequate securing of any such data obtained shall not be allowed.
  8. Any data retrieved during research and testing shall be securely deleted as soon as it is no longer required or within one month of the vulnerability being resolved, whichever comes first.

5. Reporting

Rationale
govmtCSIRT has the sole responsibility for coordinating all vulnerability disclosure activities on the Agent and Government systems. The following are the Policy provisions, including obligations from the researcher(s), when reporting to govmtCSIRT.
  1. Upon confirmation of the existence of a vulnerability, testing shall be immediately halted, govmtCSIRT informed, and no associated information shall be disclosed to third parties or to the general public.
  2. govmtCSIRT shall be promptly notified of any discovered vulnerability, whether real or potential, within seventy-two (72) hours of its discovery.
  3. The security vulnerability shall be reported to govmtCSIRT, using the structure as shown in Appendix 1.
  4. Reported vulnerabilities shall not be disclosed without coordination with govmtCSIRT.
  5. Testing shall be immediately halted, govmtCSIRT shall be informed, and no associated information shall be disclosed, in case of encounter of the following types of information during testing:
    • Personally identifiable information.
    • Financial information.
    • Proprietary information or trade secrets belonging to any party.
    • Classified Government information.
    • Gaining command line access.

6. Response

Rationale
The following are obligations from the researcher(s) and expectations of the Agent in response to vulnerability disclosures.
  1. After a vulnerability reported to govmtCSIRT is assessed, the Agent shall issue a report indicating the true impact and CVSS score. The Agent‘s report shall be the final indication of the severity of the vulnerability.
  2. The Agent shall respond to researcher(s)‘ reports within five (5) working days and provide a preliminary assessment within ten (10) working days. The Agent shall strive to keep the researcher(s) informed throughout the process of addressing the vulnerability.
  3. Prioritisation of the vulnerability by the Agent shall be based upon the following:
    • The impact of the vulnerability.
    • The complexity of exploiting the vulnerability.
    • The likelihood of the vulnerability being exploited.
  4. The Agent shall classify the vulnerability according to the following severity levels and its associated definitions. The expected time for remediation is as follows:
    Severity Description Time for Remediation
    Low A vulnerability if exploited poses minimal or negligible harm to the Agent, Government, and their partner organizations. One (1) year
    Medium A vulnerability if exploited will result in substantial harm to the Agent, Government and their partner organizations. One hundred and eighty (180) days
    High A vulnerability if exploited, will inflict extensive harm to the Agent, Government and their partner organizations. Ninety (90) days
  5. The researcher(s) shall refrain from inquiring on the status of the vulnerability remediation more than once every fourteen (14) working days. The Agent shall inform them accordingly when the reported vulnerability has been remediated and may invite them to confirm that the vulnerability has been adequately addressed.
  6. The researcher(s) may submit a request to disclose the report, after the vulnerability has been successfully remediated.
Best Practice
The Agent encourages researcher(s) to coordinate the public release of information along with it, as it provides the opportunity for a unified and coherent message of guidance to the relevant stakeholders.

7. Appendix 1: Structure of report to be used when informing govmtCSIRT of a vulnerability discovered.

Section Mandatory? Description
Email to: Yes [email protected]
Title Yes A short description of the vulnerability. E.g., Admin privileges through cross site scripting.
Affected Asset Yes The asset that has the vulnerability such as web address, IP address, service or product name.
Weakness Yes A description of the weakness. Preferably follows the CWE format. • https://cwe.mitre.org/https://cwe.mitre.org/data/definitions/699.htmlhttps://cwe.mitre.org/data/definitions/1194.html
Impact No In your opinion, list the severity of the impact on the Agent and the Maltese Government. Low: Minimal impact. Medium: Significant impact. High: Serious impact. Critical: Detrimental impact.
CVSS Score No Calculate, in your opinion, the CVSS score via https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Description of the vulnerability Yes • A summary of the vulnerability. • Supporting files (e.g., screenshot or video). • Any mitigations or recommendations.
Steps to Reproduce Yes • Clear and descriptive steps to reproduce the vulnerability. • Proof of concept code if available.
Contact Details Yes Name, Surname, Mobile Number, Email.

8. Conformance to this Policy

Any activity by the researcher(s) beyond the Scope of this Policy shall be subject to legal prosecution.
No legal action shall be taken by the Agent if the researcher(s) conform to the provisions of this Policy. The Agent may take steps to make the conformance known if legal action is instituted by a third party against such researcher(s).
However, legal action shall be taken by the Agent against researcher(s) who attempt to hold it to ransom, even if they are operating within the Scope of this Policy.

9. Issuing Authority

This document has been issued by the Principal Permanent Secretary.

10. Contact Information

Government ICT Policies may be found at http://ictpolicies.gov.mt. Any suggestions, queries or requests for clarification regarding Government ICT Policies may be forwarded to [email protected].