Effective Date: 1 January 2025
Version: 3.0 — Ultra-Final (Djenie Edition)

1. PURPOSE

This Responsible Disclosure Policy outlines how In Delay There Lies No Plenty Pty Ltd ACN 162 881 138 ATF Future Thinking Family Trust t/a Djenie ABN 98 399 797 036 (“Djenie”) receives, evaluates, and responds to good-faith security vulnerability reports.

This Policy aligns with:

  • ISO/IEC 29147 (Vulnerability Disclosure)
  • ISO/IEC 30111 (Vulnerability Handling Processes)
  • Australian Privacy Act 1988 (APP 11 – Security of Personal Information)
  • GDPR/UK GDPR security obligations
  • EU NIS2 transparency expectations
  • U.S. CFAA/DMCA safe-harbour principles
  • Coordinated Vulnerability Disclosure (CVD) best practice
    Djenie extends Safe Harbour protections to researchers worldwide acting in good faith and within lawful boundaries.

2. SCOPE

This Policy applies to:

  • djenie.com
  • Djenie’s membership-platform systems (SMS v2)
  • APIs, authentication flows, backend systems
  • Cloud infrastructure controlled by Djenie
    It excludes:
  • Third-party services not operated by Djenie
  • Social engineering
  • DDoS/DoS traffic
  • Physical security testing
  • Phishing or vishing attempts

3. PRINCIPLES FOR GOOD-FAITH RESEARCH

Researchers must:

  • Avoid harm and minimise impact
  • Not access, modify, or exfiltrate data
  • Limit testing to what is necessary to prove the issue
  • Respect privacy and confidentiality
  • Provide clear reproduction steps
  • Follow applicable laws and this Policy

4. GLOBAL SAFE HARBOUR

If acting in accordance with this Policy:

  • Djenie will not pursue civil action under CFAA, UK CMA, EU cybercrime equivalents, or similar laws.
  • No DMCA or Copyright Act action will be taken for good-faith testing.
  • Researchers will not be reported to law enforcement.
  • Contractual restrictions will not be enforced.
  • Accidental, minimal access to data is protected if immediately reported and not retained.

Safe Harbour applies globally wherever Djenie services are accessible.

5. AUTHORISATION BOUNDARIES

Authorised:

  • Systems owned and fully controlled by Djenie.
    Not authorised:
  • Third-party providers
  • Cloud infrastructure outside Djenie’s control
  • Customer-owned systems
  • Partner or supplier systems

6. REPORTING A VULNERABILITY

Reports should be emailed to: security@djenie.com

Include:

  • Affected system or URL
  • Steps to reproduce
  • Expected vs. actual behaviour
  • Severity or potential impact
  • Proof-of-concept (optional)

Anonymous reports are accepted. Encrypted channels available on request.

7. RESPONSE PROCESS (ISO-ALIGNED)

Djenie will:

  • Acknowledge valid reports within 5 business days
  • Classify severity within 10 business days
  • Provide remediation plans for high-severity issues within 20 business days
  • Resolve issues based on CVSS severity
  • Notify researchers upon remediation

If third-party vendors introduce delays, Djenie will communicate expected timelines and coordinate external disclosure.

8. RECOGNITION

At Djenie’s discretion, researchers may receive:

  • Public acknowledgment (with consent)
  • Non-financial recognition for impactful reporting

No financial rewards are offered.

9. RESEARCHER EXPECTATIONS

Researchers must not:

  • Publicly disclose vulnerabilities prior to coordinated release
  • Modify, delete, or copy data
  • Degrade service performance
  • Attempt privilege escalation beyond minimal reproduction
  • Perform phishing/social engineering

10. PUBLIC DISCLOSURE WINDOW

Researchers may publicly disclose:

  • After Djenie confirms remediation, OR
  • 90 days after acknowledgement if the issue is unresolved, unless a mutually agreed extension is provided.

11. THIRD-PARTY COMPONENTS

If a vulnerability involves an external vendor:

  • Djenie will coordinate with the vendor
  • Timelines will be shared transparently
  • Djenie will support safe, responsible disclosure paths

12. PRIVACY, DATA HANDLING & STORAGE

Reports and associated logs are:

  • Encrypted at rest
  • Accessible only on a least-privilege basis
  • Retained only for the minimum period necessary for remediation and audit

13. CONTACT

Security Team — security@djenie.com
Djenie, Brisbane, Australia

VERSION CONTROL & GOVERNANCE

Version: 3.0 — Ultra-Final (Djenie Edition)
Effective Date: 1 January 2025
Approval: Chief Executive Officer, Djenie
Change Summary: Complete rewrite for Djenie context; replaced Cushi systems with SMS v2; updated Safe Harbour boundaries; aligned to Djenie governance and security posture.
Review Cycle: Annual or earlier if required.