We prioritize the safety of our systems and do everything we can to protect them properly. However, even vulnerable sites can be found in our systems. That’s why we prefer to find any issues and take action to fix them as quickly as possible.
Honesty, transparency and trust are part of our core values. If you find a vulnerability, we will be happy to work with you to resolve it in the following process.
Notify us by email
Contact us at firstname.lastname@example.org. You can include your findings in the email, or we can discuss another way to share information. Be sure to include the IP address or URL of the system and a description of the vulnerabilities you’ve found in your email. Usually that is enough information for us, but we may ask you to provide additional information.
What to expect from us
We take your vulnerability reports seriously and are happy to work with the reporter to fix it. That means:
- We handle your report confidentially and do not share your information with others unless we are legally required to do so. You can also report vulnerabilities to us anonymously or under a pseudonym.
- You will receive a response from us within one day of your email notification.
- We provide a substantive response to your report within three working days of your notification.
- We investigate the vulnerability and assess how we deal with it. We may accept certain vulnerabilities if they pose little or no risk to us.
- Our starting point is to fix vulnerabilities as quickly as possible. Our goal is to have software vulnerabilities resolved within 60 days and hardware vulnerabilities, within 6 months.
- We’ll update you on the progress of the review and resolution process.
- If you agree, we’ll list your name as the one who discovered the problem when we report on the it.
- As a token of our appreciation, we offer a reward for reports of vulnerabilities that we were not aware of yet. The reward depends on the severity of the vulnerabilities found, the quality of the notification and the way of working together. The value can range from a recognition or thank you on social media to rewards with financial value.
- If you take the following concerns into account, we will not take legal action (such as tax return or damages) against you.
Points to keep in mind
We trust you to act with integrity and care. That’s why we request that you:
- Do not exploit the vulnerability for purposes other than the notification;
- When investigating the vulnerability, not seeing, modifying or removing more information than is necessary to demonstrate the vulnerability;
- Do not publish or share the vulnerability with others before the issue has been resolved;
- Delete all confidential information you obtained through the vulnerability once the issue has been resolved;
- Work with us to find a solution by giving us enough information to reproduce and solve the problem, and:
- Do not use social engineering, ddos attacks, third-party applications or breach of physical security measures.