Responsible disclosure

Date of last update: 24/06/2018

Responsible disclosure

We feel that Digicy.Cloud’s own IT-systems should be secure and exemplary and therefore we pursue the highest level of standards in regard to security. Yet it can happen that there is a vulnerability in one of our systems. What you can do when you find a vulnerability can be read on this page.

This procedure is based on the Responsible Disclosure guide of the National Cyber Security Center (NCSC) of the Dutch government.

Vulnerabilities in IT-systems

If you have found a vulnerability in one of the IT-systems of Digicy.Cloud, we would like to hear from you so that the necessary measures can be taken as soon as possible. We would like to work with you to better protect the security of our IT-systems. With this in mind, Digicy.Cloud applies the following policy regarding the handling of reports of vulnerabilities identified by you in the IT-systems of Digicy.Cloud. You may expect this from us if and report a vulnerability in one of the systems.

We ask you

  • Email your findings to [email protected].
  • Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible.
  • Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
  • Leave contact information so that we can come into contact with you to work together on a safe solution.
  • Leave at least an e-mail address or telephone number.
  • Report this to us as soon as possible after discovery of the vulnerability.
  • Do not share the information about the security problem with others until it is resolved.
  • Act responsibly with the information about the security problem by not doing any actions beyond what is necessary to demonstrate the security problem.

We do not allow the following

  • Placing malware.
  • Copying, modifying or deleting data in a system (an alternative for this is making a directory listing of a system).
  • Making changes to the system.
  • To gain access to the system repeatedly or to share access with others.
  • Making use of the so-called “brute-forcing” to get access to systems.
  • Use denial-of-service or social engineering techniques and methods.

What you can expect

  • If you meet the above conditions when reporting a vulnerability identified in the Digicy.Cloud IT-system, no legal consequences are and will be attached to the report.
  • We treat a report confidentially and we never share personal information without the consent of the reporter with third parties, unless this is required by law or pursuant to a court order.
  • With mutual consent we can, if you wish, mention your name as the discoverer of the reported vulnerability.
  • We will send you an acknowledgment of receipt within 1 working day.
  • We respond within 3 working days to a report with the assessment of the report and an expected date for a solution.
  • We keep the notifier informed of the progress of the problem.
  • We resolve the security problem that you identify in a system as quickly as possible, but no later than 90 days. It can be determined in mutual consultation whether and how the problem can be published after it has been resolved.
  • We offer a reward as a thank you for the help. Depending on the severity of the security problem and the quality of the report, that reward can vary from a T-shirt to a maximum of $100. It has to be an unknown and serious security problem for us. You can also, if you wish, be mentioned in our Hacker Hall-of-Fame.

Submit report

Reports can be submited via the e-mail address [email protected]. Make sure that the following items (when applicable) are addressed in the email.

 

  • Contact details:
    • Name/nickname
    • E-mail-address
  • Technical data:
    • IP-addresses
    • Domainnames
    • URLs
  • Elaboration vulnerability:
    • Explanation
    • Impact or risk
    • Proof-of-Concept
    • Solution directions