If you come across a vulnerability, please do the following:
- Send your findings to email@example.com. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands.
- Report the problem as quickly as possible, to minimise the risk of unauthorised use of the vulnerability, or hostile actors taking advantage of it.
- Report the problem in a clear and concise way, and in such a way that the information you submitted is secure and cannot be intercepted by third parties.
- Delete any data that was required through the vulnerability as soon as the problem is resolved, unless requested otherwise by Networking4all.
- Provide sufficient information to reproduce the problem, such as a specific URL where the problem occurred or the steps that were taken up until the moment the problem arose, so Networking4all can resolve the problem as quickly as possible.
- Do not abuse the problem by downloading more data than is necessary to detect the leak or to check, remove or modify third-party data.
- Do not reveal the vulnerability to others until the vulnerability has been solved.
- Do not make changes to the system or utilise the vulnerability further than necessary to establish its existence.
- Do not copy, modify, or delete data on the system, or make a directory listing of the system.
- Do not make use of attacks on physical security, social engineering, distributed denial of service, third-party spam or applications.
What we promise:
- We'll respond to your report within 5 working days with our review of the notification and an expected date for a solution.
- If you have met the above terms, we will not take legal action regarding the notification.
- We treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
- We will keep you informed of the progress towards resolving the problem.
- Upon public notification of the problem, you will be mentioned by name as the discoverer of the vulnerability, unless you desire otherwise.