Skip to content

Vulnerability Disclosure Policy

Within ThreatFabric, great value is placed on (information) security. However, no matter how much effort we put into this, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it, so we can take steps to address it as soon as possible. Please follow the instructions below:

Email your findings to security@threatfabric.com. If possible, please encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands:

PGP Fingerprint = 84C2 ED46 0DDD 5FAC 26A6 A8BF A457 2F71 0C2F FFF8

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Hostname:
Version: Hockeypuck 2.1.0-222-g25248d4
xsFNBGQ2vIYBEADy4mDqUmc84XxanAIuwY1s0RAZNwzJE5t4zewxvW5o6oSaDUn9 rn2ALpVuGt4NamPPm0mQvZrn4Bley/GNLnjTMYgJM4PGOMhz4Cq84VINGYHo3Z60 e+DPN2qOBV9RNLqhrTN1OKc/kc5jHu2QJo0EGV5mFebGLhvYo8uUQfZiGa3dii92 Hi9Bx0fsTUiJ/qgNLuxwXwrckFtrEx3JCpEUDiR5pnKOWFyuHyloSCBv9rbmyF4p TZ7dNz20Kx8E9biu9n5ubaldjxX9ISSJj6O3zyZ/6bmAwTSbEKm4w+iHIf30yPg5 ClG6k/8AVudau1socCCS34gOdS57W70VY9ry9GRyrajIcCQU5r69YZGYBP77gLLh GVPsdy3UdduqJ+PzC7exP61Gn9+k2C3S50kTaC0IYEywoIIpMW0nekpvvZ1mUGGs z5fDKuo3+uzgH350F5uPpXdpj772Xo+eiDu8STiWXBDYk/eXH29s1vxoIY+7AnO9 hfZ8ybc5LN3lo19rClo0lyTBmgeLKouk7X7nv52LrSzy5zKyVEjpR1MDSrwg6kvT lSS+eqZgkbSbvRgJg2kXrnnQ20cDSiO+PU+3rCRrUo8S58oupbIw2AlX5DLcklcE BaTV5mQ3zm8dS5SwpO1SWJ3gkeSS915npEvALmZe+1BbYclDL55XDMxq0wARAQAB zTJUaHJlYXRGYWJyaWMgU2VjdXJpdHkoKTxzZWN1cml0eUB0aHJlYXRmYWJyaWMu Y29tPsLBkQQTAQgAOxYhBITC7UYN3V+sJqaov6RXL3EML//4BQJkNryGAhsPBQsJ CAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEKRXL3EML//4brYP/11nxzbYV+pl /+2FQ3Z1FThava49tuiEaIaMEnK1gUk/+39E2isasaV2Mepxfaa3AIWir/Bvui2/ W00mlgioYXIgDJNUWqlvxbthzXKnSoQBAFClYVAF/XOl7ytIj+6ssKXrPEOh8l0J Am6MmdRCTvxsfxVIC4EigWiKu92+/T+FJb3ZcltTSEMMJ7//sgc8R3hX+ixI9CZR GnNwZ+dkGPvdvu4JbE+6qwLFM8CxO9KDLvlTJQaYeQQVmBGpPHH4pu9vSoKXMi3b Cq25pa1mn0x+8J6+XLhbdSh5+t7e7rOk+oFhm8CXvD8Tsl/DzkEtfWy6Wi1KHeYZ kZLHA4E5JAbnmnm/ZcnIwyGwjQ+Oua7dueg2A+g1fzp3qpUOu7P7PzoixSYu2OSC /F6t/+wQKIsjnMKoVL3bAgTLgFhTbe0EKFQhCodM074ApXLRiemDuB5N6uF2XfR/ z2wh56HTCzbHAuh+i0ZMjda37DqjrBQc9FKJ9r8wp6DUZI7js4iI9hjdXCyL3p8t PkzjY4Xtzvelaf3wmg4Luj7lssRUCpC23UlKtO6Ct/QH8saMH5QYvnt8Fil5WWb5 XDB59xrMIe8/MYDf5ZCfvT0Xmoc4U8XLWMXmN5ylo2Glr79XEFdRwLPTfRCE0yG8 bp4YohBoTi2anQpro2SNNl1WH5aRc/ew =4ddV
-----END PGP PUBLIC KEY BLOCK-----
 

We require you:

  • Not to take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying existing data.
  • Not to reveal the problem to others until it has been resolved.
  • Not to use the information to execute attacks on physical security, applications of third parties or perform social engineering, distributed denial of service, phishing, or spam.
  • To provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP-address (or the URL) of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

We promise you:

  • We will respond to your report within five business days.
  • We will not take legal action against you regarding the information you shared with us if you have followed the instructions above (paragraph ‘We require you to’).
  • We will handle the information you shared with us with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • We strive to resolve all problems as quickly as possible.

Exclusions

This vulnerability disclosure is not intended for:

  • reporting complaints.
  • reporting fake emails (phishing emails).
  • reporting fraud.

We also exclude specific problems that, in our opinion, do not constitute a threat.

Excluded systems

All systems other than domains ending in:

  • threatfabric.com.
  • threatfabric.org.
  • threatfabric.net.

Excluded types of security problems

  • SPF/DMARC records.
  • (D)DOS attacks and rate limiting of calls.
  • Problems that amount to self-XSS.
  • Error messages without sensitive data.
  • Software (version) disclosure.
  • Resolved vulnerabilities.