At Computest we believe that the security of our systems is extremely important. Despite our concern for the security of our systems, it could still be that a weak point exists.
If you have found a weak point in just one of our systems, then we would be more than happy to hear about that so that we could take measures immediately. We are happy to collaborate with you in order to be able to protect our systems better and those of our clients.
We ask you:
- To send us your findings by email to firstname.lastname@example.org. Encrypt your findings with our PGP key in order to prevent the information from falling into the wrong hands,
- Not to abuse the problem, for example, by downloading more data than is necessary in order to demonstrate the leak or to view, delete or amend the data of third parties,
- Not to share the problem with others and immediately to delete all the confidential data acquired through the leak following the closure of the leak,
- Not to use the attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
- To provide sufficient information in order to reproduce the problem so that we are able to solve the problem as quickly as possible. The IP address or the URL of the system involved, plus a description of the vulnerability, is usually sufficient, but further details may be required in the case of complex vulnerabilities.
What we promise:
- We will react within 3 working days to your report with our assessment of the report and an expected date for a solution,
- If you have kept to the conditions as set out above, then we will take no legal steps against you in relation to the report,
- We handle your report confidentially and we will not share your personal details with third parties without your permission, unless that is necessary in order to fulfil a legal obligation. It is always possible to make a report under a pseudonym,
- We will keep you informed about the progress concerning the solution of the problem,
- If you should so wish, we will include your name as discoverer of the reported problem in our reporting of the event.
We do our best to solve all problems as quickly as possible and we are pleased to be involved in any publication about the problem, once it has been solved.
This text is based on an example from Floor Terra (http://responsibledisclosure.nl/).