Responsible disclosure
Program rules
In order to protect our systems and users, we have compiled a list of rules regarding vulnerability disclosure:
- Only the systems within our scope are applicable.
- Report the vulnerability as quickly as possible after its discovery.
- Do not take advantage of the vulnerability or problem you have discovered. For example by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying other people’s data.
- Where applicable, you must only use your own data (name, email-address) to demonstrate the vulnerability.
- The use of pseudonyms is allowed.
- Do not reveal the problem until it has been resolved.
- Avoid the following actions to keep the impact minimum:
- Installing malware
- Making changes to a system
- Copying, changing or deleting data
- Overall, handle the knowledge on the security problem or vulnerability with care by not performing any acts other than those necessary to demonstrate the vulnerability.
- Please provide us with sufficient information to reproduce the problem, for example with a Proof-of-Concept, so we can resolve it as quickly as possible.
- When duplicate reports occur, we only award the first report that was received provided that it can be fully reproduced.
We ask that all disclosures are kept confidential in order to protect our community. Under very specific circumstances, and concerning major disclosures, we can foresee a common public communication. However, this must be agreed on beforehand at responsibledisclosure@on2it.net.
Rewards
All responsible disclosures are rated by our security professionals in order to calculate a possible reward. These rewards are paid out using the Tremendous platform.
The following criteria are taken into consideration:
Reproduce-ability and verifiability of the vulnerability
Severity of the vulnerability disclosed
Likelihood that the vulnerability would have been exploited
Criticality of the assets that were affected by the vulnerability
Quality of the communication
Scope
Disclosures are only eligible if they are in line with the following scope
https://*.on2it.net/
https://*.on2it.nl/
Out-of-Scope
The following elements are known and accepted, and is not necessary to report on:
Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
Contact Forms without limit of submission
Disclosure of known public files or directories (e.g. robots.txt)
Banner disclosure on common/public services without a PoC
Security header configurations or missing header
Lack of Secure/HTTPOnly flags on non-sensitive cookies
WordPress related wp-cron.php availability, appropriate measures for this are in place.
Informational disclosures regarding software versions or updates, including WordPress core/theme/plugins.
Privacy
As a European company based in the Netherlands, we apply to the highest standard of Data protection based on the GDPR. This means we keep the minimum amount of information about you, for a limited time and only for the sole purpose of communicating with you.
In short, when you report a vulnerability, we only collect your name (or pseudonym) and email-address. If you qualify to be registered in our Hall of Fame, we will request your consent to register your name here.
See our privacy policy for more information.