We would like to ask you to help us better protect our clients and our systems.
You can help us by following these guidelines:
- E-mail your findings to firstname.lastname@example.org, if possible please encrypt your findings using our public PGP key to prevent this sensitive information from falling into the wrong hands;
- Not abusing the vulnerability by downloading more data than is minimally needed to prove the vulnerability, or looking at, modifying or deleting private information;
- Not sharing this vulnerability with others until it has been remediated and deleting all confidential data that has been obtained through this vulnerability;
- Not attacking our physical security measures, use social engineering, distributed denial of service (DDOS), spam or third-party applications; and
- Supply us with the information we need to reproduce / prove the vulnerability exsits so we can fix it as soon as possible. Usually the public IPv4 / IPv6 address of the vulnerable server together with a description should be enough information, in some cases we might need to work more closely with you.
Some security errors are not eligible for a reward as they have a low impact on the security of our systems. Please don't mention these problems unless a combination of errors can lead to a security issue with a greater impact. The following type of security errors are some examples:
- General error messages regarding application or server errors.
- HTTP 404 en other non HTTP 200 error codes
- Accessibility of public files and folders (like robots.txt)
- CSRF-issues on parts of the site that are available to anonymous visitors
- CSRF-issues without (critical) consequences for users
- Trace HTTP functions that may be active
- SSL attacks like BEAST, BREACH, Renegotiation
- SSL Forward secrecy unused
- Anti-MIME-Sniffing header X-Content-Type-functions
- Missing HTTP security headers
- Presence of HTTPS Mixed Content Scripts / errors
We promise you that:
- We will respond within 3 business days after receiving your report and give you an estimated time/date when the vulnerability will be remediated,
- If you have followed the guidelines above, we will not take any legal action against you with regards to the exploitation of the vulnerability you reported,
- We will treat your report with the upmost confidentiality and won't share your personal information with third-parties unless the law dictates otherwise. You are allowed to use an alias to contact us if you think that is necessary to protect your privacy,
- We will keep you informed about the progress we make in dealing with the vulnerability,
- In any news coverage regarding this vulnerability we will, if you wish so, give you credit for bringing the vulnerability to our attention,
- In gratitute for your help we will offer a reward for any, to us unknown, vulnerability. The height of this reward is based on the impact of the vulnerability and the quality and level of detail of your report.
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
This Responsible Disclosure policy is based on: responsibledisclosure.nl
Last updated: 12-03-2018