Skip to content

Latest commit

 

History

History
48 lines (35 loc) · 4.31 KB

SECURITY.md

File metadata and controls

48 lines (35 loc) · 4.31 KB

Security Policy

Have you discovered a security issue in NL-Portal? Let us know!

Ritense is strongly committed to responding to disclosed security-related issues. Security is of the essence for all users of this software stack. Keeping software secure is complex job - we value all suggestions to keep the software secure.

How to report?

Send an email to [email protected]. If you want to notify us anonymously you can use a anonymous email address, for example Apple’s Hide My Email. Do note we cannot send you feedback, a thank you or additional questions if you use a temporary email address.

Please clearly explain how the vulnerability can be exploited, preferably with screenshots and a step-by-step explanation. If possible include the version of Valtimo you used. If it concerns a running instance, please note the url and state the exact date and time you used the vulnerability. This helps us with our analysis of your report.

Information about the processing of your personal data

We ask you to provide your name, email address and telephone number in order to communicate with you regarding your report. Providing a name and telephone number is optional. If you are eligible for a reward, we will also need your address if you wish us to send it to you. We may therefore ask for your address after your report is processed. Your data will not be shared with third parties unless disclosure of these data is compelled by law or by a court ruling.

We ask you to..

  • Not disclose the issue in other channels like social media.
  • Not share the info with others.
  • Not make any further attempts to use the vulnerability again after the notification.
  • Only do what is strictly necessary to demonstrate the vulnerability.
  • Not apply general vulnerability scanning on live systems.
  • Not place a backdoor in an information system, regardless of its purpose (such as to demonstrate a vulnerability).
  • Not copy, change or delete data from- or in running systems. Only send us the (minimum) information you need to demonstrate the problem. For example, create a directory listing of files or screenshots with only the information needed to demonstrate the vulnerability.
  • Not social engineer.
  • Not affect the availability of running systems.
  • Not use so-called 'brute force attacks' to get into running systems.

Our promise

  • You will receive an acknowledgment from us as soon as possible, and at least within 3 working days. Depending on the action to be taken, you may receive further follow-up emails.
  • If you have complied with the above conditions, we will not take legal action against you regarding the report.
  • We treat your report confidentially and will not share your personal information with third parties without your consent, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
  • We will keep you informed of the progress of solving the problem.
  • We will, if you wish, include your name as the discoverer in reporting about the reported problem.
  • As a thank you for your help, we offer a reward for every report of a security problem unknown to us. We determine the size of the reward based on the severity of the leak and the quality of the report, with a minimum of a voucher of €50.

As a thank you

We value your contribution to keeping this software secure. We have small rewards for valuable notifications:

  • A Ritense hoods or
  • Diner check

We determine whether a reward applies and which reward is offered, based on the risk of the security problem. To be eligible, a report must be valid and unreported, and the reported vulnerability must be significant in terms of risk.

A Reward is not offered if a reporter or the report does not comply with the rules of this procedure. If the report does not concern a security issue or poses a low risk, no reward may be offered.

When duplicate reports are received about a specific vulnerability, the reward will be awarded to the first person to report this vulnerability. A reward awarded will only be provided to one person.

We try to award equal rewards for similar security vulnerabilities. However, the rewards and the eligible security vulnerabilities are subject to change. Remunerations awarded in the past do not guarantee rewards offered in the future. Anonymous reports are excluded from participation in the rewards program.