Security Policy & Responsible Disclosure

Last updated: 15.12.2025.

1. Purpose and Scope

The purpose of this Security Policy is to define the approach for reporting, handling, and responding to information security vulnerabilities identified on the rnids.rs website and its associated systems.

This policy supports responsible vulnerability disclosure and aligns with recognized information security standards, including ISO/IEC 27001, as well as applicable European

Union cybersecurity regulations, including the NIS2 Directive.

This policy applies to the public website rnids.rs, related web applications, backend services, and supporting infrastructure under the operational control of RNIDS.

2. Responsible Disclosure Principles

RNIDS encourages security researchers, partners, and third parties to report security vulnerabilities in a responsible, coordinated, and ethical manner.

RNIDS commits to acknowledging reports in a timely manner, objectively assessing reported issues, implementing remediation measures proportionate to the identified risk, and maintaining confidentiality throughout the vulnerability handling process.

Reporters are expected to avoid actions that may disrupt service availability, compromise user data, or violate applicable laws.

3. In-Scope Systems

The following systems are considered in scope for vulnerability reporting:

- Public website and web application functionality of rnids.rs;

- APIs and services exposed via the website;

- Authentication, authorization, and session management mechanisms;

- Input validation, data processing, and access control mechanisms.

4. Out-of-Scope Activities

The following activities are explicitly out of scope and are not permitted:

- Denial-of-service (DoS/DDoS) testing or traffic flooding;

- Brute-force attacks against authentication or access control mechanisms;

- Social engineering or phishing attempts targeting employees, registrars, or users;

- Physical security testing;

- Testing of systems or services not operated or controlled by RNIDS.

5. Reporting a Security Issue

Security vulnerabilities should be reported using one of the following channels:

Email:

Reports should include a clear description of the issue, steps to reproduce the vulnerability, affected URLs or systems, and any supporting evidence. Encrypted communication may be used in accordance with the encryption information provided in the security.txt file.

6. Incident Handling and Response

All reported security issues are processed through RNIDS’s internal incident management procedures, aligned with ISO/IEC 27001 requirements for information security incident management.

The process includes acknowledgement of receipt, triage and classification, risk assessment, remediation planning and implementation, verification of corrective measures, and formal closure.

Where applicable, incidents are escalated and reported in accordance with legal and regulatory obligations, including those defined under the NIS2 Directive.

7. Confidentiality and Data Protection

All vulnerability reports are treated as confidential. RNIDS limits access to incident-related information on a need-to-know basis and processes any personal data in accordance with applicable data protection regulations.

8. Legal Safe Harbor

RNIDS considers vulnerability research conducted in accordance with this policy to be authorized. RNIDS will not initiate legal action against individuals who act in good faith, comply with this policy, and allow reasonable time for remediation prior to public disclosure.

9. Policy Review and Maintenance

This Security Policy is reviewed periodically and updated as necessary to reflect regulatory changes, technological developments, and improvements in security practices.

The current version of this policy is published at: security policy

10. Contact

For security-related inquiries, please contact:

RNIDS Security Team

Email: