The IoD project welcomes all researchers. We are a loose knit effort to focus research and advocacy efforts. The site and its operators will help where possible to support their research efforts and vulnerability reporting.
In order to protect the project and yourself, if you wish to work with the IoD, we ask that you adhere to the following, fairly sensible code of conduct:
You will adhere to the principals of Coordinated disclosure and the rest of this code of conduct
Do no harm. You will not intentionally damage any vendor systems or violate the privacy of any of their customers. Avoid attacks likely to crash server side services, such as buffer overflows or similar. Attacking local devices, like phones, is generally fine but should be done with due caution. Should you cause any issues, you will do your best to alert the vendor to the specific issues and help them remedy the situation ASAP
You will check in advance for, and respect any rules or requirements that the affected vendor has posted on their website (scope limitations, scale, types of testing)
You will maintain professionalism when dealing with the subject matter (such as intentional, excessive innuendo, juvenile humour, etc) when dealing with the vendors or speaking about the project publicly. We're all adults here
You will not attempt to extort, blackmail or otherwise threaten vendors with your research
You will not ask for compensation, remuneration or anything of value from the IoD project or vendors.
Should compensation, monetary, product or otherwise be offered, it is up to you to decide if you feel comfortable accepting it. If you choose to accept any offered compensation, be transparent in your acceptance of it with your fellow researchers
If you encounter sensitive material accidentally (i.e. personally identifying information), you will maintain confidentiality of that material at all costs. You will disclose your discovery of PII to the vendor during the vulnerability reporting process and abide by their wishes for storage, handling and potential usage after reporting and remediation (up to and including secure destruction of all copies)
If you've not submitted a vulnerability under the IoD name previously, contact the IoD at firstname.lastname@example.org with your research before sending anything to the vendor. We just wish to make sure you understand the this code of conduct and the process for disclosure before attaching our name and support for you.
While you can speak and write about your specific work and contributions with the IoD project and mention your participation in it, you will not claim to directly represent IoD project itself unless specifically authorised by GPG signed email from RenderMan
The IoD project has the right to disavow association and revoke support for any researcher who violates this code of conduct and post such revocation and the reasons publicly
The IoD project assumes no liability for the legality of any research done. It is up to each researcher to consult legal council and ensure they are abiding by all local laws.
If you do not want to adhere to this code of conduct, you will not mention any association with the IoD project nor claim any support from us.
In exchange for your adherence to this code of conduct and working with the IoD project, we can offer the following benefits (possibly more to come):
Vulnerability submission by proxy: We can submit your vulnerability to the vendor and act as a proxy between the parties. This can provide you some anonymity if for whatever reason you want it (often due to the nature of the content and employers). We reserve the right to review materials before submission to the vendor for liability issues and propriety
Results verification. We have a "library" of devices available and can verify and perhaps refine your findings before submission. Useful if you are unsure if your finding is reproducible
Collaboration with a growing community of IoD device researchers to expand your skills and knowledge
As they become available and as you are interested, we can provide additional devices on loan for you to test and expand your body of work with the IoD
Potentially discounts on devices for research purposes (per vendor discretion and willingness)
Credit where credit is due. You'll be able to cite publicly (if you choose) your contribution to this unique and important project and your professional reputation
You'll be one of an elite few with a credit in a DVE and be able to legitimately claim you've hacked sex toys (it's a great line to use in a bar)
Continued participation and results can lead to invitations to participate in IoD talks around the world and other events as they become available