Vulnerability Disclosure Policy
Within ThreatFabric, great value is placed on (information) security. However, no matter how much effort we put into this, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it, so we can take steps to address it as soon as possible. Please follow the instructions below:
Email your findings to email@example.com. If possible, please encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands:
PGP Fingerprint = 84C2 ED46 0DDD 5FAC 26A6 A8BF A457 2F71 0C2F FFF8
We require you:
- Not to take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying existing data.
- Not to reveal the problem to others until it has been resolved.
- Not to use the information to execute attacks on physical security, applications of third parties or perform social engineering, distributed denial of service, phishing, or spam.
- To provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP-address (or the URL) of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
We promise you:
- We will respond to your report within five business days.
- We will not take legal action against you regarding the information you shared with us if you have followed the instructions above (paragraph ‘We require you to’).
- We will handle the information you shared with us with strict confidentiality, and not pass on your personal details to third parties without your permission.
- We strive to resolve all problems as quickly as possible.
This vulnerability disclosure is not intended for:
- reporting complaints.
- reporting fake emails (phishing emails).
- reporting fraud.
We also exclude specific problems that, in our opinion, do not constitute a threat.
All systems other than domains ending in:
Excluded types of security problems
- SPF/DMARC records.
- (D)DOS attacks and rate limiting of calls.
- Problems that amount to self-XSS.
- Error messages without sensitive data.
- Software (version) disclosure.
- Resolved vulnerabilities.