Scope of this policy
The scope of this policy is to inform everybody who found a weak spot about next steps. It is explicitly not an invitation to actively scan our infrastructure for weak spots. However, if you do find a vulnerability, we want you to know how we will handle that, what we expect from you, and what you can expect from us.
What do we expect from you?
- If you have found a weakness in our application, please send us an e-mail to firstname.lastname@example.org, encrypted with our PGP key.
For a clear description, please include the information below:
- What domain is this notification referring to?
- Please describe the steps you have taken
- What objects have you used? For example: filters, text fields, etc.
- What is the URL?
- Can you include a screenshot of the result?
- What browser(s) and what version(s) did you spot the weakness in?
- What operating system (and version) have you used?
- Can you include the application, script and/or code used?
If you would like us to include you in the follow-up, please include your contact details. We can understand if you wish to remain anonymous.
- Don’t abuse the vulnerability by for example downloading, editing, or deleting data.
- Do not share the finding with anybody until we have investigated and solved potential issues. In our communication plan, we will decide how we are going to communicate about the vulnerability. If you wish, we can share this communication plan with you.
- Don’t use any attacks on physical security, of hacking or social engineering tools, for example vulnerability scanners.
What can you expect from us?
- After sharing your findings with us, we will confirm the received message and start investigating with high priority. Within 2 business days, we will respond to you with our evaluation of your and our findings, and with an expected resolution date.
- Your report will be handled confidentially. No personal information will be shared with third parties without your written consent. The only exception is if we are demanded by authorities (such as the police) to share this information.
- If you wish, we will keep you informed about the progress of the solution for the reported issue.
- If you wish, and did not choose to remain anonymously, we will state your name as the party that discovered the vulnerability.
- If you follow the rules in this policy, we will not take legal actions against you.