At ON2IT Inc., we consider the security of our systems a top priority. Because we are committed to system security, we understand even more the added value of Security researchers.
Therefore, dear Discloser, should you discover a vulnerability, we would like to be informed so we can take steps to address it as quickly as possible and take the necessary measures to remedy the vulnerability. We would like to ask you to help us better protect our systems and, as a consequence, our clients.
What we want to ask you:
- Email your findings to email@example.com;
- Report the vulnerability as quickly as possible after its discovery;
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data;
- Do not reveal the problem to others until it has been resolved;
- Do not use attacks on physical security, to social engineering, distributed denial of service, spam or applications of third parties. Also, avoid the following acts: installing malware, making changes to a system, copying, changing or deleting data in a system and using so called ‘brute force’ to access systems. Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem;
- Make sure to provide sufficient information to reproduce the problem, so we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
What we promise:
- We will respond to your report as soon as possible with our evaluation of the report and an expected resolution date;
- If you have followed the instructions above, we will not take any legal action against you in relation to the report;
- We will handle your report with strict confidentiality, and we will not pass on your personal details to third parties without your permission;
- Of course, you may use a pseudonym if preferred;
- We will keep you informed of the progress in solving the problem;
- ON2IT offers a reward as thanks for your help. In order to ensure anonymity and limit risks, we provide rewards under the form of Amazon giftcards that are communciated to you via email. In addition, for disclosers who agreed to, we maintain a Hall of Fame of disclosers.
- We strive to resolve all problems as quickly as possible.
Frequently Asked Questions
What is not necessary to report on ?
- Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
- Contact Forms without limit of submission
- Disclosure of known public files or directories (e.g. robots.txt)
- Banner disclosure on common/public services without a PoC
- Security header configurations or missing header
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
Is there a Reward, and how is it calculated ?
- Yes we reward our disclosers with Amazon gitcards (in US $).
- We determine the reward for disclosers based on the following criteria:
- Quality of the Communication
- Severity of the Vulnerability disclosed
- Likelihood that the Vulnerability would have been exploited
- Criticality of the assets that were affected by the Vulnerability
- Reproduceability and Verifiability of the Vulnerability
We do NOT value wild assumptions on our assets (e.g. Assuming that we do not enable MFA).
What do you do with my personal data ?
We also value privacy at ON2IT. As a European company based in the Netherlands, we apply the highest standard of Data protection based on the GDPR. This means that we keep the minimum amount of information about you, for a limited time and only for the sole purpose of communicating with you.
Therefore, when you communicate with us, we collect your name (or your given pseudonym) and your email address. These are the only Personal information that we need. We keep this information as long as we are dealing with your responsible disclosure. Once the case is closed, we will your data for as much as 1 year after the date of closing. After that, we delete your data.
If you qualify for it, we may offer you to be registered in our Hall of Fame. If so, we will request your consent to keep your name (or pseudonym) and email address for a longer period of time (maximum 5 years).
When will I hear from you after making a disclosure ?
Your submission should be acknowledged within 72 hours. The disclosure will then need to be validated after which you will be contacted again usually within 10 business days.
Do you recruit ?
We are constantly looking for skilled Security professionals ! Feel free to consult our Job offers. If you successfully disclosed a Vulnerability, meet the requirements of one of our Job offers and wish to apply. Please, let it know to the Recruiter. The IT Security Team will make sure to put a good word for you.
Can I publish anything about the vulnerability after my disclosure?
We ask that all Disclosures are kept confidential in order to protect our community. Under very specific circumstances, and concerning Major disclosures, we can foresee a common public communication. However, this must be agreed beforehand at firstname.lastname@example.org