Responsible Disclosure Agreement

Introduction

Safaricom Telecommunications Ethiopia PLC is committed to ensuring the security of its products and protecting customer information. This Responsible Disclosure Agreement sets forth the terms and conditions for reporting security vulnerabilities to Safaricom Ethiopia. By submitting a vulnerability report, you agree to be bound by the terms of this Agreement.

1. Acknowledgment of Reports

   Company acknowledges and appreciates the efforts of security researchers in reporting vulnerabilities responsibly. We welcome and encourage responsible disclosure reports. The company does not offer rewards for reported vulnerabilities at this moment.We will start a bug bounty program in the near future.

2. Responsible Disclosure Guidelines

   Security researchers are required to adhere to the following guidelines when reporting vulnerabilities. Under this Agreement, "research" means activities in which you:

   • - Notify us as soon as possible after you discover a real or potential security issue.
   • - Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
   • - Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
   • - Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
   • - Do not submit a high volume of low-quality reports.
   • - Provide detailed information about the vulnerability, including steps to reproduce and potential impact.
   • - Include your contact information for further communication.

   Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

3. Testing Methods

   The following test methods are not authorized:

   • - Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
   • - Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
4. Scope

   This policy applies to the following systems and services:

   • - *.safaricom.et
   • - M-PESA

   Vulnerabilities found in systems owned and managed by our vendors, fall outside of this policy scope and should be reported directly to the vendor according to their disclosure policy (if any).

5. Response Timeframe

   The company commits to acknowledging receipt of vulnerability reports within 72 business hours. Our team will diligently investigate and promptly address reported issues. The resolution timeframe may vary based on the complexity and severity of the identified vulnerability

6. Non-Disclosure Agreement (NDA)

   By submitting a vulnerability report, both parties agree to maintain confidentiality regarding the reported issue and any related communication. The details of the vulnerability and the disclosure process should not be disclosed to third parties without the express consent of the Company.

7. Legal Disclaimer

   Submitting a vulnerability report does not guarantee a reward or immunity from legal action if the researcher violates any terms of this Agreement. The company reserves the right to take appropriate legal action in response to any unauthorized or malicious activity.