Responsible Disclosure Policy
Have Skills, Take Responsibility
The safety of your data is our top priority. That’s why we work hard to protect our systems. But did you nonetheless find a flaw in our security? Help us by reporting the vulnerability. Please do not make a vulnerability public, before working with us on a solution first. We are not trying to cover up our mistakes, but making a vulnerability public might have serious consequences for all our customers.
How can I report a vulnerability?
You can report a vulnerability by sending an email to firstname.lastname@example.org. If possible, encrypt your email with our GPG-key (ask for key) to prevent the information from falling in the wrong hands. Please explain in your e-mail the vulnerability you have found and provide us with enough information to reproduce and investigate the problem.
Can I report a vulnerability anonymously?
Absolutely. You are not required to provide your personal details.
You might have conducted illegal activities to discover a vulnerability. We will not report these activities or claim damages if you have followed these rules:
- act responsibly with the knowledge about the vulnerability, and do not perform any actions that go beyond what is necessary to demonstrate the flaw;
- do not cause any damages;
- do not use a denial-of-service attack or social engineering;
- ensure that your research does not lead to an interruption of our services;
- your research should never result in Keycycle or customer data becoming public;
- never place a backdoor, not even to demonstrate a vulnerability;
- never modify or delete data. In case you need to copy data, never copy more data than strictly necessary;
- do not make any system changes;
- do not try to penetrate a system more often than necessary.
- do not use brute force techniques.
- do not use techniques that may affect the availability of our services.
- Always report a vulnerability as soon as possible and please ask us for permission before making the vulnerability public.
What happens when I report a vulnerability?
We will start an investigation immediately after receiving your report. We always try to get back to you within a couple of days and will keep you up-to-date about our progress on solving the problem. The time we need to solve an issue depends on the complexity of the problem. After you have reported a problem, we ask you to refrain from making it public to give us time to solve the issue first.
Do you make the issue public?
Together, we can decide if and how the issue will be made public (after the problem has been solved). We can include your name in the publication if you want.
Can I get a reward for reporting an issue?
You can earn a place on our Wall of Fame if you report a vulnerability to us. Please let us know with which handle or name you want to be represented. To further thank you for your help we may offer you a reward, but we are never required to offer a reward. We only offer rewards for flaws that were unknown to us at the moment of reporting. We will determine the type and size of the reward based on the reported issue, taking the severity of the issue (amongst other things) into account. In case multiple people report the same issue, we will only offer a reward to the first reporter.
How about my privacy?
We only use your personal details to take action in response to your report. We don't share your data with third parties without your permission, unless we are legally required or a court order requires us to do so. If we contract another company to investigate your report, we might be required to share your data with this company. We will ensure this company also keeps your data confidential.
Laws and regulations
Always take applicable laws and regulations into account, because you could still get in trouble with the law, even if we don't report you to the authorities.
Wall of Fame
We thank the following vulnerability researchers for their contributions to our security: