We ask you
- To email your findings to email@example.com.
- To make your report as soon as possible after you have discovered the vulnerability.
- Not to abuse the problem, for example, by downloading more data than is necessary for demonstrating the leak or by accessing, removing or adjusting third party data,
- Not to share the problem with others until it has been solved and to erase all data obtained through the leak immediately after the leak has been stopped,
- To provide sufficient information to reproduce the problem, so that we can solve it as soon as possible. The IP address or the URL of the affected system and a description of the vulnerability often suffice, but more may be required in the case of more complex vulnerabilities.
- To leave your contact details so that we can work with you on a safe result. We need at least an email address or telephone number of you.
- Not to make use of attacks on physical security, social engineering, distributed denial of service, spam or third party applications.
The following acts are not permitted
- Placing malware, neither on our systems nor on those of others.
- So-called “brute forcing” of access to systems
- Using social engineering.
- Disclosing or providing information about the security problem to third parties before the problem has been solved.
- Performing acts that go beyond what is strictly necessary for demonstrating and reporting the security problem, especially where it concerns the processing (including accessing or copying) of confidential data to which you have access as a result of the vulnerability. Instead of copying an entire database, you can usually limit yourself to e.g. copying a directory listing. Modification or removal of data in the system is never permitted.
- Using techniques that diminish the availability and/or utility of the system or services (DoS attacks).
- Abusing the vulnerability in any (other) way whatsoever.
What we promise
- We will respond to your report with our assessment of the report and an expected date for a solution within 3 days,
- We will treat your report as confidential and will not share your personal data with third parties without your consent, unless this is necessary for performing a statutory obligation. Reporting using a pseudonym is possible,
- A period of time after which the person making the report may disclose the vulnerability, preferably 60 after reporting the problem in the case of software and six months in the case of hardware, will be agreed in that consultation.
- We will keep you informed of the progress on solving the problem.
- If you have complied with our conditions, we will not take legal action against you with regard to the report,
- If you wish, we will mention your name as the person who discovered the problem in communications about the problem.
We aim to solve all problems as quickly as possible and would like to be involved in any publication about the problem after it has been solved.