At ON2IT B.V., we consider the security of our systems a top priority. Because we are committed to system security, we understand even more the added value of Security researchers.
Therefore, dear Discloser, should you discover a vulnerability, we would like to be informed so we can take steps to address it as quickly as possible and take the necessary measures to remedy the vulnerability. We would like to ask you to help us better protect our systems and, as a consequence, our clients.
What we want to ask you:
Frequently Asked Questions
What is not necessary to report on ?
- Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
- Contact Forms without limit of submission
- Disclosure of known public files or directories (e.g. robots.txt)
- Banner disclosure on common/public services without a PoC
- Security header configurations or missing header
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
Is there a Reward, and how is it calculated ?
- Yes we reward our disclosers with Amazon gitcards (in US $).
- We determine the reward for disclosers based on the following criteria:
- Quality of the Communication
- Severity of the Vulnerability disclosed
- Likelihood that the Vulnerability would have been exploited
- Criticality of the assets that were affected by the Vulnerability
- Reproduceability and Verifiability of the Vulnerability
We do NOT value wild assumptions on our assets (e.g. Assuming that we do not enable MFA).
What do you do with my personal data ?
We also value privacy at ON2IT. As a European company based in the Netherlands, we apply the highest standard of Data protection based on the GDPR. This means that we keep the minimum amount of information about you, for a limited time and only for the sole purpose of communicating with you.
Therefore, when you communicate with us, we collect your name (or your given pseudonym) and your email address. These are the only Personal information that we need. We keep this information as long as we are dealing with your responsible disclosure. Once the case is closed, we will your data for as much as 1 year after the date of closing. After that, we delete your data.
If you qualify for it, we may offer you to be registered in our Hall of Fame. If so, we will request your consent to keep your name (or pseudonym) and email address for a longer period of time (maximum 5 years).
When will I hear from you after making a disclosure ?
Your submission should be acknowledged within 72 hours. The disclosure will then need to be validated after which you will be contacted again usually within 10 business days.
Do you recruit ?
We are constantly looking for skilled Security professionals ! Feel free to consult our Job offers. If you successfully disclosed a Vulnerability, meet the requirements of one of our Job offers and wish to apply. Please, let it know to the Recruiter. The IT Security Team will make sure to put a good word for you.
Can I publish anything about the vulnerability after my disclosure?
We ask that all Disclosures are kept confidential in order to protect our community. Under very specific circumstances, and concerning Major disclosures, we can foresee a common public communication. However, this must be agreed beforehand at firstname.lastname@example.org