Responsible Disclosure Policy
Should it happen that you discover a vulnerability in one of our systems, we would appreciate to hear from you so that we may issue countermeasures as soon as possible. We would like to collaborate with you to ensure the safety of our customer’s and own data.
We ask you
- To email your findings to email@example.com.
- Not to misuse the problem by, for example, downloading more data than required to demonstrate the vulnerability or reading, modifying or deleting third-party data.
- Not to publicly disclose the vulnerability until a patch has been issued and all retrieved data through the use of this vulnerability have been deleted.
- Not to attempt to attack Digital Survival Company through attacks on physical security, social engineering, Distributed Denial of Service and/or spam.
- To provide sufficient information for us to patch the vulnerability. In most cases, an IP-address or the URL of the vulnerable system would suffice. However, more complex cases sometimes require more information.
- We will respond to your findings within three workdays with our assessment of the situation and (if applicable) an expected date of resolution.
- If you stuck to the above requirements, we shall not take legal action against you regarding the vulnerability.
- We will treat your personal information confidentially and will not share these data with third parties unless required by law. Reporting under a pseudonym is possible.
- We will keep you up to date with recent developments regarding the resolution of the vulnerability.
- In the public information concerning the problem reported, we will provide your name as the discoverer of the problem (unless you desire otherwise).
We strive to solve all problems as quickly as possible and would like to play an active role in the ultimate publication of the problem once it has been solved.