Principles Regarding Safety
We consider the safety of our systems a top priority. However, no matter how much effort we put into system security, vulnerabilities can still exist.
If you discover a vulnerability, we would like to know about it so that we can take measures to address it as quickly as possible. We ask for your help in better protecting our customers and our systems.
Please do the following:
- Email your findings to firstname.lastname@example.org. Encrypt your findings with our PGP key to prevent this critical information from falling into the wrong hands.
- Do not exploit the vulnerability or the problem you have discovered, for instance, by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying other people’s data.
- Do not disclose the problem to others before it has been resolved.
- Do not perform attacks on physical security, using social engineering, distributed denial of service, spam, or third-party applications.
- Provide enough information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more explanation may be needed for complex vulnerabilities.
What We Promise:
- We will respond to your report within 3 business days with our assessment of the report and an expected date for a resolution.
- If you have followed the above instructions, we will not take legal action against you regarding the report.
- We will treat your report with the strictest confidence and will not pass on your personal information to third parties without your permission.
- We will keep you informed of the progress in resolving the issue.
- In the public information about the reported problem, we will mention your name as the discoverer of the problem (unless you wish otherwise).
- As a token of our gratitude for your help, we offer a reward for each report of a security problem that we were not yet aware of. The amount of the reward will be determined based on the severity of the breach and the quality of the report. The minimum reward for a problem that poses an actual danger is a €50 gift voucher.
We aim to resolve all issues as quickly as possible and would like to play an active role in the eventual publication about the problem after it has been resolved.