Coordinated Vulnerability Disclosure
Kliksafe is an organization that strives for safe internet access for young and old. We work with different systems to provide and support our products. Safe internet naturally also includes safe systems. Every system can contain a vulnerability, but we want to do our utmost to prevent this. If you discover a vulnerability in one of our systems, we would like to get in touch with you so that we can resolve the vulnerability.
What we expect from you:
- If you discover a vulnerability in one of our systems, we would like to ask you to contact us. This notification may be sent by email to firstname.lastname@example.org. We would like to ask you to use our PGP key to report this securely.
- If you investigate a vulnerability in our systems. Then take into account the proportionality of the vulnerability. When you carry out a DDoS attack of historic proportions on our website, it will be unavailable for a while. We don’t expect otherwise.
- That you do not abuse the problem by, for example, downloading more data than is necessary to demonstrate the vulnerability or by viewing, deleting, or adjusting third-party data.
- That you provide the report with sufficient information to be able to reproduce the vulnerability. Typically, the IP address or URL of the system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more information.
- That you do not share knowledge about the vulnerability with third parties until the vulnerability has been resolved by us.
- That you delete all confidential data obtained through the vulnerability immediately after we have resolved the vulnerability.
What you can expect from us:
- We will respond in detail to your report within 5 working days with an expected resolution period.
- We will fix the vulnerability as soon as possible. Again, the proportions of the vulnerability are taken into account and the resolution time depends on several factors, including the impact and complexity of the vulnerability.
- If you comply with the above expectations, we will not take legal action against you in relation to your report.
- That we treat the report confidentially. We will also not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation. (Reporting under a pseudonym is also possible)
- As a thank you for your help, we would like to include you in our Hall of Fame. Of course, we ask for your permission in advance. If you have found a critical vulnerability that is unknown to us, we would like to offer you a reward. The size of the reward depends on the content of the vulnerability.
This text is based on the text by Floor Terra, published under a Creative Commons 3.0 licence. This tekst can be found at https://responsibledisclosure.nl
HALL of FAME
|April 2023||Pankaj Lakshkar||Verhogen beveiliging mijnkliksafe.nl|