// LEGAL COMPLIANCE & RESEARCH AUTHORIZATION

Policies & Legal Stance

22nd Survey Division (OCCUPATION FORCE CALLSIGN GSW PTY LTD, ABN 50 692 429 397) operates under Australian law and international responsible disclosure standards. This document sets out our research authorization, disclosure obligations, and acceptable use policy for course content.

// CONTENTS
Research Authorization Applicable Legislation Responsible Disclosure Acceptable Use Governing Authorities Contact
// SECTION 1
Research Authorization Policy

All offensive security research conducted by 22nd Survey Division is performed exclusively on owned hardware in an isolated test environment, or on explicitly authorized systems under written engagement agreements. No research is performed against third-party infrastructure, cloud services, or production systems without documented written authorization from the asset owner.

01 — SCOPE
Own Hardware Only
All malware development, AV evasion testing, C2 deployment, and exploitation research occurs exclusively on researcher-owned machines (George Wu, 22nd Survey Division) or Raed Ghaleb's explicitly authorized machines under the survey partnership. Isolated network segments. No outbound C2 to third-party hosts without authorization.
02 — AUTHORIZATION
No Unauthorized Access
Research does not access, modify, or impair any computer system, network, or data without explicit prior authorization. All test targets are owned or authorized. No mass-targeting tools. No infrastructure scanning beyond authorized scope. This is a hard limit with no exceptions.
03 — ISOLATION
Test Environment Isolation
C2 infrastructure (CHEYANNE, ECLIPSE) operated for research runs on isolated local networks or explicitly authorized remote environments. Beacon payloads do not propagate beyond the test environment. GPS and SMS exfiltration research (StarKiller) conducted exclusively against the researcher's own devices.
04 — RECORDS
Research Documentation
All research activity is documented: PENTEST_LOG.md per engagement, RESEARCH_LOG.md for ongoing vulnerability research. Research authorization records maintained in github.com/rainfantry/csec-research-authorization (public). MSRC submissions logged with reference numbers. MITRE CVE submissions tracked.

Public research authorization statement: github.com/rainfantry/csec-research-authorization →

// SECTION 2
Applicable Legislation & Compliance

Research and training operations comply with the following Australian and international legal frameworks. Where our research engages techniques that would otherwise constitute computer offences, all applicable authorization and ownership conditions are met.

CRIMINAL CODE ACT 1995 (CTH) — PART 10.7: COMPUTER OFFENCES
s.477.1 — Unauthorized access, modification or impairment with intent to commit a serious Commonwealth offence. 22DIV compliance: all access to computer systems is authorized — own hardware or explicit written consent.

s.477.2 — Unauthorized modification of data to cause impairment. 22DIV compliance: no modification of third-party data. Test data is synthetic or owned.

s.477.3 — Unauthorized impairment of electronic communication. 22DIV compliance: no interference with communications infrastructure. C2 beacons operate on owned or authorized systems only.

s.478.1 — Unauthorized access to, or modification of, restricted data. 22DIV compliance: all data accessed during research is owned by or explicitly made available to the researcher.
PRIVACY ACT 1988 (CTH) — AUSTRALIAN PRIVACY PRINCIPLES (APPs)
Research involving real device data (GPS coordinates, SMS content in StarKiller testing) is conducted exclusively on devices owned by the researcher. No third-party personal data is collected, stored, or processed during research. Course student data is limited to PIN authentication — no personal data stored beyond session scope.
CORPORATIONS ACT 2001 (CTH) — COMPANY OBLIGATIONS
OCCUPATION FORCE CALLSIGN GSW PTY LTD (ACN 692 429 397) is a registered Australian proprietary limited company incorporated 1 November 2025 in New South Wales. All commercial activity (course sales, encrypted source package distribution) conducted under this entity in compliance with Australian Consumer Law (Competition and Consumer Act 2010, Schedule 2).
CYBERCRIME ACT 2001 (CTH) — SCHEDULE TO CRIMINAL CODE
The provisions of the Cybercrime Act 2001 are incorporated into the Criminal Code Act 1995. Research activities comply with all carve-outs for authorized computer access. Security research on own hardware with no unauthorized access does not constitute an offence under these provisions.
// SECTION 3
Responsible Disclosure Policy

22nd Survey Division follows Coordinated Vulnerability Disclosure (CVD) as defined by the Australian Cyber Security Centre (ACSC) and consistent with ISO/IEC 29147:2018 (Vulnerability Disclosure). Novel vulnerabilities are reported to the relevant vendor or authority before any public disclosure.

TIMELINE
90-Day Embargo
Findings are submitted to the relevant vendor (MSRC, MITRE, CERT/CC, ACSC) and held for 90 days before public disclosure. The embargo clock starts from vendor acknowledgement. If the vendor closes the case without remediation (as with VULN-195458), the embargo is void and findings are published.
SUBMISSION
Vendor-First
All submissions go to the vendor's official security disclosure channel first. No bug bounty platform jumping, no social media disclosure, no conference dropping before the vendor has had time to triage. MSRC: msrc.microsoft.com. MITRE CVE: cveform.mitre.org. ACSC: cyber.gov.au/report.
RECORD
Published Disclosures
MSRC VULN-195458 — HWBP Tamper Protection bypass (AmsiScanBuffer/NtTraceEvent via DR0+VEH). Submitted before public release. MSRC closed as out-of-scope for Defender; embargo void; technique published. CVE submissions: MITRE case #49, #53 (vader-toctou TOCTOU race condition series).
SCOPE
What We Report
Novel vulnerabilities with confirmed impact: memory corruption, privilege escalation, authentication bypass, defence bypass with persistence. Techniques that bypass security controls without a vulnerability (LOLBAS, HWBP, process hollowing) are documented as attack-surface analysis, not CVE-eligible bugs, and published directly after vendor notification.

Disclosure record and research authorization: github.com/rainfantry/csec-research-authorization → | Research findings: github.com/rainfantry/22sd-research-findings →

// SECTION 4
Acceptable Use Policy — Course Content & Source Packages

Source packages distributed to course students (encrypted 7z archives of private repositories) are provided for educational and authorized security research purposes only. By purchasing access and receiving a PIN, students agree to the following terms.

CONDITION PERMITTED PROHIBITED
Target scope Own hardware, authorized test environments, CTF infrastructure, explicitly engaged pentest targets under signed contract Any system you do not own or have explicit written authorization to test
Code modification Modification for personal research, learning, and authorized engagements Commercial redistribution, resale, or sublicensing of source code or derived works
Disclosure Publishing independent research derived from techniques learned in the course with original findings Redistribution of course source code; sharing decryption password; sharing decrypted archives
Deployment C2 deployment on own infrastructure for research and authorized engagements Deploying CHEYANNE, ECLIPSE, StarKiller or any course tool against unauthorized targets. Deploying as persistent access on any third-party system without authorization.
VirusTotal / AV telemetry Local AV testing on own machine, offline scanning Uploading binaries to VirusTotal, Hybrid Analysis, Any.run, or any cloud sandbox. This degrades evasion for every user and is explicitly prohibited.

Violation of this policy voids access without refund. Legal action may follow for unauthorized access to third-party systems using course materials — this falls under Criminal Code Act 1995 (Cth) s.477.1 and equivalent state cybercrime legislation. You are responsible for your own compliance with applicable law in your jurisdiction.

NOTE ON LEGAL USE OF OFFENSIVE TOOLS — AUSTRALIAN JURISDICTION
In Australia, possession and use of offensive security tools is not inherently illegal. Criminal liability under the Criminal Code Act 1995 (Cth) Part 10.7 requires unauthorized access or intent to cause impairment. Security researchers, penetration testers, and students using these tools on own or authorized systems are within the law. Students are responsible for obtaining appropriate authorization before deploying any offensive technique and should maintain written records of authorization for all engagements.
// SECTION 5
Governing Authorities & Frameworks

22nd Survey Division aligns research and disclosure practices with the following authorities and frameworks.

AUTHORITY / FRAMEWORK RELEVANCE OUR POSITION
Australian Cyber Security Centre (ACSC) National cybersecurity authority — CVD guidelines, threat intelligence, Essential Eight CVD process follows ACSC guidance. Findings reported via cyber.gov.au/report where applicable.
Australian Signals Directorate (ASD) Parent of ACSC — signals intelligence and cyber operations doctrine ASD Essential Eight used as defensive benchmark for all evasion research. Bypass techniques documented against E8 controls.
Microsoft Security Response Center (MSRC) Vendor disclosure channel for Windows vulnerabilities Active submitter. VULN-195458 submitted and closed. Future Windows internals findings submitted to MSRC first.
MITRE Corporation (CVE Program) CVE numbering authority — formal vulnerability registry CVE submissions for discrete vulnerabilities (vader-toctou series, MITRE cases #49, #53). ATT&CK framework used for technique mapping in course.
ISO/IEC 29147:2018 International standard — Vulnerability Disclosure Disclosure timeline and vendor-first policy consistent with this standard.
ISO/IEC 30111:2019 International standard — Vulnerability Handling Processes Internal research triage and documentation follows this standard's handling process framework.
CERT/CC (Carnegie Mellon) Original CVD authority — coordination for multi-vendor findings Escalation path for multi-vendor vulnerabilities where single vendor disclosure is insufficient.
MITRE ATT&CK Adversary tactics and techniques knowledge base All course techniques mapped to ATT&CK TTP IDs. Research findings documented with ATT&CK technique references.
Criminal Code Act 1995 (Cth) Part 10.7 Primary Australian cybercrime legislation All research conducted in compliance. Own hardware. No unauthorized access. Written records maintained.
ACSC COMPLIANT CRIMINAL CODE ACT 1995 (CTH) ISO/IEC 29147:2018 MITRE ATT&CK ALIGNED ASD ESSENTIAL EIGHT MSRC DISCLOSED OWN HARDWARE ONLY NO UNAUTHORIZED ACCESS