Responsible Disclosure Policy

You may have discovered a vulnerability in our services that we need to hear about in order to fix it and / or take immediate preventive actions. Although we do our utmost best to keep our services secure and frequently execute a variety of tests and audits, internally and externally, loopholes may still exist. Please report any vulnerability you have noticed immediately to security@iwelcome.com, we will pick it up from there and keep you informed of our actions.

At a minimum, this mail will be read by our support colleagues, the Security Officer on duty, the CISO and, last but not least, our CEO.

Indemnity – No Blame

We will hold you blameless and indemnify you from any form of prosecution if you help us fix a problem and adhere to this policy. It is essential that you remain within the boundaries of the law at all time. The most important thing here is that you do not publish data that you may have collected, as this may damage our clients or end-users.

It is a matter of law in our country to disclose data leaks and potential serious security incidents to authorities. If you wish to remain anonymous to these parties, please indicate so to us and kindly make sure that we can contact you, however we are fine if you preserve your anonymity by using an acronym.

If you managed to download sensitive data, please protect this data at the best you can and keep it encrypted at all times. During resolution, we may need to work with you and this data may be essential. During or at the end of this process however, we will ask you to delete the sensitive data permanently and completely.

Bounty

Depending on the value of your discovery, the prevention of exposure for our company and the amount of time and effort you have spent to help us, we will attempt to reward you accordingly. Please note that the main scope of our services, which is providing for the CIAM / IDaaS platform (application, architecture and infrastructure), should be central to your discoveries and entitlement to corresponding compensation. This thus excludes, for instance, the brand website www.iwelcome.com and our other B2B online marketing channels.

Timing

Depending on the severity and potential impact of your discovery, we will attempt to fix it as soon as possible. We would like to request that the exploit not be published or made known to the public during a period of (maximum) six (6) weeks.

Vulnerability Report

Mail to: security@iwelcome.com

Please include all available information so that we may reproduce the issue. If the information contains sensitive information of any kind (based on your judgement) please aim to encrypt the information sent to us.

Your advice in this may prove valuable, don’t hesitate to provide it if you wish.

Please make sure to include an email address that we can use to contact you.