At Forus-P bv (hereafter named ForusP) we believe the safety of our systems, our network and our products is extremely important. Even though we pay considerable attention to security, a weakness can be discovered. If that is the case we would like to hear about it as quickly as possible so we can take measures.
Vulnerabilities can be discovered in two ways: by accident while using the digital environment in a normal way, or by purposely looking for vulnerabilities. Please note that our responsible disclosure policy is not an invitation to actively scan our corporate network for vulnerabilities.
We would like to work together with you to improve the protection of our customers and systems.
We ask you:
- To email your findings as quickly as possible to email@example.com. Preferably by using PGP.
- Do not abuse the vulnerability by downloading, changing or removing data. We will always take your report seriously and will investigate any indication of a vulnerability, even without “proof”.
- Do not share the issue with others until it has been resolved.
- Do not use attacks on physical security, of social engineering or hacking tools, such as vulnerability scanners.
- Provide us with enough information to reproduce the problem so we can fix it as quickly as possible. Usually the IP-address or URL of the vulnerable system and a description of the vulnerability is enough, but in more complex vulnerabilities more information may be necessary.
- You will remove all confidential data gathered in your investigation immediately after we solve the vulnerability.
- We will respond to your report with 3 business days with our assessment of the report and the expected date for a fix.
- We will handle your report confidentially and will not share your personal details without permission to third parties. An exception to this is law enforcement and the justice department in case of a police report or if data needs to be claimed.
- We will keep you updated with the progress for solving the issue.
- In any potential notifications about the reported issue we will, if wanted, give you credit for finding the vulnerability.
- Unfortunately it’s not possible to rule out any legal action against you in advance. We want to be able to judge each situation separately. We feel we are morally required to press charges if we suspect the vulnerability or data is being abused or if you shared this knowledge with anyone else. You can count on us not to press charges for an an accidental discovery in our online-environment.
- As a thank you for your help we offer a reward for every report about security issues that we didn’t know about. The size of the reward will be determined by us depending on the severity of the leak and the quality of the report.
We strive to solve all issues as quickly as possible, to keep all involved parties informed. We would like to be involved in any potential publications about the issue, after it has been resolved.
With thanks to Floor Terra