Despite our daily care for all our systems, it is always possible that a security breach arises. That’s why we published this Responsible Disclosure policy.
Responsible disclosure means the following: if you encounter a security breach (or a weak spot) concerning one of our systems, we would like to hear about this as soon as possible. We will respond by taking appropriate measures as soon as possible. And we are more than willing to work together to protect the privacy of our systems and clients even more.
We ask you to do the following:
- Email your findings to firstname.lastname@example.org,
- Do not share your findings with anyone else before the issue has been resolved and to erase all confidential data you acquired immediately after the breach has been resolved,
- Provide us with enough information so we are able to reproduce the notified issue in order for us to resolve it as soon as possible. In most cases providing us with the IP-address or the URL of the affected system and a description of the vulnerability is enough. In complex cases more information might be needed though.
- Avoid at all times the following:
- placing malware including a backdoor;
- copying, changing or deleting data in a system (an alternative is to make a directory listing in a system);
- making changes to the system;
- repeatedly gaining access to the system or sharing access with others;
- making use of ‘bruteforcing’ to gain access to systems;
- making use of denial-of-service or social engineering.
We promise you the following:
- We will respond to your notification within 5 working days. We will provide you at that time with our analysis of the reported breach and an estimate of the time necessary to come up with a solution;
- We will keep you up to date about our progress to resolve the reported issue;
- If you comply with the above conditions, we will not take any legal action against you regarding the report;
- We will treat your report confidentially and will not share your personal information with third parties without your permission, unless this is required by law or pursuant to a court order;
- You can report anonymously or under a pseudonym. However, if you do so, we cannot contact you about, for example: the follow-up steps, progress of closing the breach, any publication about the report. Also we cannot provide you with any reward for the report;
- In our report about the issue, we can mention your name as the discoverer (if you wish to);
- We would like to be involved in a possible publication about the reported issue;
- We can give you a reward for your research, but we are not obliged to do so. You are, therefore, not automatically entitled to a reimbursement. If we reward you, the kind of reward is determined by us on a case-by-case basis. Whether we reward you and how we will do so depends on the accuracy of your research, the quality of the report and the severity of the reported breach. In any case, it has to be a security breach that is not yet known to Level Level.
- Reports about WordPress and plugins that are published in the CVE database are known to us and are closed. Vulnerability reports about an enabled xmlrpc API are also closed.
- Don’t report any SPF or DMARC records missing.
Our policy is covered by a Creative Commons Attribution 3.0 license. The policy is based on the example policy of Floor Terra.
Latest update: 04 Januari 2023