Responsible disclosure

Program rules

In order to protect our systems and users, we have compiled a list of rules regarding vulnerability disclosure:

  • Only the systems within our scope are applicable.
  • Report the vulnerability as quickly as possible after its discovery.
  • Do not take advantage of the vulnerability or problem you have discovered. For example by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying other people’s data.
  • Where applicable, you must only use your own data (name, email-address) to demonstrate the vulnerability.
    • The use of pseudonyms is allowed.
  • Do not reveal the problem until it has been resolved.
  • Avoid the following actions to keep the impact minimum:
    • Installing malware
    • Making changes to a system
    • Copying, changing or deleting data
  • Overall, handle the knowledge on the security problem or vulnerability with care by not performing any acts other than those necessary to demonstrate the vulnerability.
  • Please provide us with sufficient information to reproduce the problem, for example with a Proof-of-Concept, so we can resolve it as quickly as possible.
  • When duplicate reports occur, we only award the first report that was received provided that it can be fully reproduced.

We ask that all disclosures are kept confidential in order to protect our community. Under very specific circumstances, and concerning major disclosures, we can foresee a common public communication. However, this must be agreed on beforehand at responsibledisclosure@on2it.net.

Rewards

All responsible disclosures are rated by our security professionals in order to calculate a possible reward. These rewards are paid out using the Tremendous platform.

The following criteria are taken into consideration:

Reproduce-ability and verifiability of the vulnerability

Severity of the vulnerability disclosed

Likelihood that the vulnerability would have been exploited

Criticality of the assets that were affected by the vulnerability

Quality of the communication

Scope

Disclosures are only eligible if they are in line with the following scope

https://*.on2it.net/

https://*.on2it.nl/

Out-of-Scope

The following elements are known and accepted, and is not necessary to report on:

https://academy.on2it.net

https://zerotrust.on2it.net

https://feedback.on2it.net

Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions

Contact Forms without limit of submission

Disclosure of known public files or directories (e.g. robots.txt)

Banner disclosure on common/public services without a PoC

Security header configurations or missing header

Lack of Secure/HTTPOnly flags on non-sensitive cookies

WordPress related wp-cron.php availability, appropriate measures for this are in place.

Informational disclosures regarding software versions or updates, including WordPress core/theme/plugins.

Privacy

As a European company based in the Netherlands, we apply to the highest standard of Data protection based on the GDPR. This means we keep the minimum amount of information about you, for a limited time and only for the sole purpose of communicating with you.

In short, when you report a vulnerability, we only collect your name (or pseudonym) and email-address. If you qualify to be registered in our Hall of Fame, we will request your consent to register your name here.

See our privacy policy for more information.