You may have discovered a vulnerability in our services that we need to hear about in order to fix it and / or take immediate preventive actions. Although we do our utmost best to keep our services secure and frequently execute a variety of tests and audits, internally and externally, loopholes may still exist. Please report any vulnerability you have noticed immediately to firstname.lastname@example.org, we will pick it up from there and keep you informed of our actions.
At a minimum, this mail will be read by our support colleagues, the Security Officer on duty, the CISO and, last but not least, our CEO.
Indemnity – No Blame
We will hold you blameless and indemnify you from any form of prosecution if you help us fix a problem and adhere to this policy. It is essential that you remain within the boundaries of the law at all time. The most important thing here is that you do not publish data that you may have collected, as this may damage our clients or end-users.
It is a matter of law in our country to disclose data leaks and potential serious security incidents to authorities. If you wish to remain anonymous to these parties, please indicate so to us and. Kindly make sure that we can contact you, however we are fine if you preserve your anonymity by using an acronym.
If you managed to download sensitive data, please protect this data at the best you can and keep it encrypted at all times. During resolution, we may need to work with you and this data may be essential. During or at the end of this process however, we will ask you to delete the sensitive data permanently and completely.
Bounty & Credits
Depending on the value of your discovery, the prevention of exposure for our company and the amount of time and effort you have spent to help us, we will attempt to reward you accordingly.
You will also be given due credit if you so wish whilst reporting about the vulnerability and the fix.
Depending on the severity and potential impact of your discovery, we will attempt to fix it as soon as possible. We would like to request that the exploit not be published or made known to the public during a period of (maximum) six (6) weeks.
Please include all available information so that we may reproduce the issue. If the information contains sensitive information of any kind (based on your judgement) please aim to encrypt the information sent to us.
Your advice in this may prove valuable, don’t hesitate to provide it if you wish.
Please make sure to include an email address that we can use to contact you.
Please also add if you wish to remain anonymous or, on the contrary, wish that we credit you publicly with the discovery.