At Forcyd we find the safety of our systems, our network and our products very important. Although we pay a lot of care to security, it can happen that a weak spot is detected. If that is the case, we would like to hear this as soon as possible, so that we can take action quickly.
Weaknesses can be discovered in two ways: you accidentally run into something with normal use of a digital environment, or you explicitly do your best to find a weak spot.
Our responsible disclosure policy is not an invitation to actively scan our company network for weak spots. We monitor our network ourselves. As a result, there is a good chance that a scan will be picked up, that our Security Operation Center (SOC) will investigate this and that unnecessary costs may be incurred.
As far as our products are concerned, you are cordially invited to actively look for vulnerabilities in an offline and non-production environment and to report your findings to us. From accountability to our customers we do not want to call for hacking attempts on their infrastructure. However, here too, we want to hear from you as soon as possible as vulnerabilities are found, so that we can rectify them adequately.
We would like to work with you to better protect our customers and our systems.
We ask you
Send your findings as quickly as possible to firstname.lastname@example.org.
Do not misuse the weakness by, for example, downloading, changing or deleting data. We always take your report seriously and investigate any suspicion of a vulnerability, even without ‘proof’.
Do not share the problem with others until it is resolved.
Do not use attacks on physical security, social engineering or hacking tools, such as vulnerability scanners.
Give us enough information to reproduce the problem so that we can solve it as quickly as possible. Usually the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
We promise you
We will respond to your report within three working days with our assessment of the report and an expected date for a solution.
We will treat your report confidentially and will not share your personal information with third parties without your consent. An exception to this is the police and judiciary, in case of declaration or if data are claimed.
We will keep you informed of the progress of the problem.
In reporting on the reported problem we will, if you wish, mention your name as the discoverer.
Unfortunately, it is not possible to exclude legal action against you in advance. We want to be able to weigh each situation separately. We consider ourselves morally obliged to report at the moment that we suspect that the weakness or data are being abused, or that you have shared knowledge about the weakness with others. You can count on it that an accidental discovery in our online environment will not lead to a report.
As a thank you for your help, we offer a reward for every report of an unknown security problem. We determine the size of the remuneration on the basis of the severity of the leak and the quality of the report.
We strive to solve all problems as quickly as possible, keep all parties involved informed and we are happy to be involved in any publication about the problem after it has been resolved.
Thanks to Floor Terra for his sample text on http://responsibledisclosure.nl/