In the area of civil aviation, Letiště Praha, a. s. is the operator of the largest international airport in the Czech Republic. As such, it has important responsibilities regarding the security of civil aviation which arise from international and national legislation. In this respect, the civil aviation security level at Václav Havel Airport Prague is perceived as the level that is secured by the Czech Republic.The security strategy covers all important activities and provided services which have an impact on the safety of passengers, employees and other users of Václav Havel Airport Prague, as well as on creating a safe environment for the business activities of other entities, especially airlines, air service providers and commercial organisations operating at the airport.The Prague Airport security strategy aims to define the way protection is ensured for employees, passengers and other users of the airport, resources, information, integrity and reputation of the company against potential threats. It also includes evaluation of the security environment and analysis of risks endangering assets which are protected by Letiště Praha, a. s.In the widest sense, security is a concept which is reflected in all activities of the organisation; however, it becomes more prominent in the case of an entity working in the civil aviation sector.Letiště Praha, a. s. understands security as a complex, encompassing particularly the following areas:Protection of civil aviation against criminal actsProtection of persons, company assets and employeesProtection of public order and prevention of criminalityAdministrative security and information securityIT securityFire protectionOperational safetyOccupational health and safetyInformation about processing of personal data in the security camera system operated by Letiště Praha, a. s.Vulnerability Disclosure PolicyLetiště Praha a.s. (hereinafter as "the Company") considers the security of its passengers, customers and the protection of their data, information and personal data to be of utmost importance. To honour its commitment to ensure a high level of information and cyber security of its information systems, a vulnerability disclosure process has been introduced. The Vulnerability Disclosure Policy aims to promote reliable and safe disclosure of vulnerabilities found in the information systems of Prague Airport.Last updatedThis is No. 1 version from 1 Jan 2023.Distribution list for reporting vulnerabilitiesPlease send any specific questions or comments to the CSOC LKPR team’s email address: csoc@prg.aero. Document availabilityThe current version of this descriptive document is available on the CSOC LKPR website.Contact informationsTeam nameCSOC LKPR: CSOC team of Letiště Praha, a.s.AddressCSOC LKPRJana Kašpara 1069/1161 00 Prague 6 – RuzyněCzech RepublicTime zoneCentral European Time (CET +1, from the last Sunday in October to the last Sunday in March), Central European Summer Time (CEST +2, from the last Sunday in March to the last Sunday in October).Electronic addressTo report incidents or other communication, please use csoc@prg.aero. Emails are responded to usually within 12 hours.Public keys and encryptionTo report incidents and for related communication, please use the key below.Communication key (use for verification and encryption):User ID: CSOC-LKPR <csoc@prg.aero> Key ID: 0x74F4 C68E 0F93 F9D4 Fingerprint: 0x9706 43B8 B539 2DBF 3634 9F25 74F4 C68E 0F93 F9D4 General information about CSOCSIRT LKPR can be found on the team’s website or the Trusted Introducer website. The security team of Prague Airport is known online as CSOC Prague Airport or LKPR.Public contactEmails are the preferred means of contacting CSOC LKPR. Please report any incidents or send any related inquiries to csoc@prg.aero. If it is not possible (or not safe) to use email, you can contact CSOC LKPR by phone. CSOC LKPR‘s working hours are 24/7/365. Scope of authorityThis Policy applies to all systems and applications owned or operated by the Company, including websites, web applications and application programming interfaces. Allowed scope of testingAll testing methods are allowed except for those which limit or prevent the performance of the system. The following testing methods are forbidden:DoS tests, DDoS tests or other tests that impair access to or damage a system or data.Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.Full red-team penetration testing that involves unauthorized access to our servers. Allowed formsInformation provided under this Policy will only be used for defensive purposes, i.e. to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely LKPR, we may share your report with the National Cyber and Information Security Agency (NÚKIB). We will not share your name or contact details without your express consent. The company accepts only vulnerability testing output reports in Portable Document Format (PDF). No other format will be accepted and considered valid. The report itself must contain the following:A description of the location the vulnerability was discovered and the potential impact of exploitation. A detailed description of the steps needed to reproduce the attack (PoC).Preferred languages: Czech or English Response timeThere are no automatic replies to received reports or inquiries. The security team of CSOC LKPR reviews all received messages and replies as soon as possible, no later than one working day after receipt. LKPR does not respond to complaints or questions as they are not covered by the VDP.Financial rewardsLKPR does not provide any rewards for reporting vulnerabilities. Submitting an accurate vulnerability report may, however, place the Reporter into the LKPR‘s Hall of Fame. Those who report vulnerabilities to LKPR hereby waive any claim to a reward.The Hall of Fame aims to acknowledge and celebrate the contribution of those who have identified and reported significant security issues in web applications. The following rules apply to the induction into the Hall of Fame:Before its discovery, the vulnerability should not have been reported or disclosed by anyone else.The vulnerability must be of critical importance and must pose a significant threat to the security of the web application or its users. Critical vulnerabilities include, for example, SQL injection, cross-site scripting (XSS) and remote code execution.The vulnerability must be reported responsibly and ethically following the new vulnerability reporting procedure. This includes providing detailed information about the vulnerability, how it could be exploited and the steps to reproduce it.The person reporting the vulnerability must follow all legal and ethical rules and must not use the vulnerability for personal gain or harm.The person reporting the vulnerability must agree to disclose the vulnerability only after allowing the party concerned enough time to fix the issue and after the party confirms that the issue has been fixed.The person reporting the vulnerability must agree to be publicly identified and acknowledged as the person who has discovered the vulnerability. His or her name or alias will be published in the Hall of Fame.At its discretion and in exceptional circumstances, the Hall of Fame Committee may make exceptions to any of the rules mentioned.
