Weak spots can be discovered in two ways: accidentally as part of the regular use of the digital environment, or consciously by looking for a security vulnerability (with automated tools). Our responsible disclosure policy is not an invitation to actively scan our corporate network to discover vulnerabilities. We would like to work with you to better protect our customers and our systems.
We ask you:
- Email your findings as soon as possible to firstname.lastname@example.org.
- Not to abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak or to view, delete or modify data from third parties.
- Not to share the problem with others until it is resolved and to promptly erase any confidential data that may have been obtained through the leak.
- Not to use "hacking tools" that negatively affect the availability of our systems, such as "SPAM" or "DDOS tools".
- Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
What we promise:
- We will respond to your report within 3 days with our assessment of the report and an expected resolution date.
- If you have adhered to the above conditions, we will not take legal action against you regarding the report.
- We treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
- We will keep you informed of the progress of solving the problem.
- In reporting on the reported problem, we will, if you wish, mention your name as the discoverer, and
- As a thank you for your help, we offer a reward for every report of a security issue unknown to us. We determine the size of the reward on the basis of the severity of the leak and the quality of the report in the form of a voucher. The reward is only awarded to residents of the EU / EEA.
We strive to resolve all issues as quickly as possible and are happy to be involved in any publication about the issue once it has been resolved.
Thanks to Floor Terra for the sample text at https://responsibledisclosure.nl/