Responible disclosure

Background
share close

Have you found a vulnerability?….

then you are bound by the following rules:

  • To review your report, you can send us an e-mail. You can report your finding via this e-mail. We will then assess the finding.
  • Not abusing your finding by, for example, downloading more data than necessary to demonstrate the leak or accessing, deleting or modifying third-party data.
  • Not sharing your finding with others until it has been resolved by us or if we have agreed this together.
  • Deleting and/or destroying our confidential data that may have been obtained as a result of the weakness immediately after agreeing with us.
  • Not to use the finding to make attacks on physical security.
  • Not doing the finding by means of social engineering, distributed denial of service or spam.
  • If finding the vulnerability in our systems is a consequence of a possible criminal offence or wrongful act, we will not take any legal action against you if you have complied with our terms and conditions relating to our ‘Responsible Disclosure’.

Out-of-scope vulnerabilities:

  • User enumeration without any impact
  • Clickjacking without a security/privacy risk on pages without sensitive actions
  • Denial of service
  • Vulnerabilities without obvious security risk (e.g.: Logged-Out CSRF)
  • CSRF without demonstrated vulnerability
  • Self XSS or XSS only possible on very outdated browsers
  • Content spoofing/text injection that does not result in XSS or sensitive data disclosure
  • Rate limiting vulnerabilities without clear impact
  • Reporting tools and scans
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers that do not directly lead to a vulnerability
  • Version exposure
  • Directory listing with public content
  • Missing best practices in SSL/TLS configuration

And quid pro quo, that’s why we promise:

  • We will respond to your report as soon as possible with our assessment of the report and an expected date for resolution.
  • We will treat your report confidentially and will not share your personal data with third parties without your permission unless it is necessary to resolve the report or comply with a legal obligation. You can also report to us anonymously.
  • We will keep you informed of the progress in resolving the problem if you have asked us to do so.
  • We will mention your name, in the case of low, medium and high findings, on our Hall of Fame, obviously only with explicit, informed, unambiguous and freely given permission (when you are the first to report this vulnerability and we have made an adjustment as a result of your report)
  • If finding the vulnerability in our systems is a consequence of a possible criminal or unlawful act, we will not take any legal action against you if you have complied with our terms relating to our ‘Responsible Disclosure’.
  • We aim to resolve all reports as quickly as possible. Should you seek publicity or wish to publish about a problem after it has been resolved, please coordinate the publication with us and inform us in advance.

This Responsible Disclosure is based on an example from Floor Terra.

Hall of Fame

We thank the following people for their contributions:

  • Soundar M
  • Foysal ahmed fahim