Skip to content

Latest commit

 

History

History
35 lines (28 loc) · 2.22 KB

SECURITY.md

File metadata and controls

35 lines (28 loc) · 2.22 KB
Raw

Security Policy

We consider the security of our projects a top priority. But no matter how much effort we put into security, there can still be vulnerabilities present. If you discover a vulnerability in one of the projects directly developed by us, we would like to know about it so we can take steps to address it as quickly as possible, while protecting our users and their data.

Report a vulnerability

Give adequate information allowing the vulnerability to be reproduced, so we will be able to resolve it as quickly as possible. In particular please include at least the following information:

  • type of vulnerability;
  • service or URL or IPs affected;
  • requirements to reproduce the issue;
  • information necessary to reproduce the issue;
  • impact of the vulnerability together with an explanation of how an attacker could find it and exploit it.

Ethical Rules

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying other people’s data.
  • Do not share the information about the vulnerability with others until it has been resolved. We will notify you when the security vulnerability has been fixed.
  • Do not place a backdoor in a system. By placing a backdoor in a system, that system becomes even more insecure.
  • Do not make changes to the system or application.
  • Do not use Denial of Service attacks or brute force access.
  • Do not use aggressive automated scanning.
  • Do not use social engineering of our employees or contractors.

What we promise

  • We will respond to your report within 7 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, we will not take any legal action against you concerning the report.
  • We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. Reporting under a pseudonym or anonymous is possible.
  • We will keep you informed of the progress towards resolving the problem.
  • In mutual consultation, we can mention (if you desire) your name or acronym as the discoverer of the reported vulnerability on our hall of fame.