28 september 2015
The following text describes Solvinity’s policy concerning responsible disclosure, in addition to the guidelines as described by the NCSC:
At Solvinity the security of our systems is of utmost importance. Despite our concern for security it may happen that there is a weak spot in one of our systems or in one of our customers’ systems.
Our policy for responsible disclosure is not an invitation to actively and extensively scan our company network to uncover vulnerabilities. We monitor our company network ourselves.
If you still find a flaw in our systems we would like to receive notice so we can take measures as soon as possible. We would like to cooperate with you in order to better protect our customers and our systems.
What we ask of you
- E-mail your findings to firstname.lastname@example.org. Encrypt your findings with our PGP-key (fingerprint 4F90 3393 06A6 674E 9486 5509 7E0B 4A53 0F4D 88ED) to prevent the information falling into the wrong hands.
- To not abuse the problem, for instance by downloading more data than necessary to show the leak or to look into, remove or change data of third parties.
- To not share the problem with others till it is solved, and to delete all confidential data that was obtained through the leak as soon as it has been closed.
- To not make use of attacks on the physical security, social engineering, distributed denial of service, spam or third party applications.
- To give sufficient information to reproduce the problem so we can solve it as soon as possible. Usually the IP-address or the URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require additional information.
What we promise you
- We will respond to your message within 3 days with our assessment of the issue and an expected date for the solution.
- If you have complied with the above mentioned conditions we will not take legal action against you concerning the notification.
- We will treat your notification confidentially and your personal information will not be shared with third parties without your permission, unless this is necessary to fulfill a legal obligation. Report under a pseudonym is possible.
- We will keep you updated on the progress of the solution of the issue.
- In the communication about the reported issue we will, if you wish, mention your name as the discoverer.
We strive to resolve any problems as quickly as possible and we would like to be involved in any publication about the problem after it is resolved.