Responsible Disclosure Statement
The security of our systems is very important to digitalAngel. We take various measures to protect your privacy. Have you discovered a vulnerability in the digitalAngel Platform? Please let us know before notifying the outside world of this. This is called Responsible Disclosure (also see the guide on Responsible Disclosure). This statement explains how we would like to work with you to protect our clients and systems.
1. How do you report a vulnerability to us?
You can e-mail your findings to: firstname.lastname@example.org. Be sure to provide sufficient information so that we can reproduce and resolve the vulnerability. Typically, identifying the IP address or URL of the affected system and describing the vulnerability is adequate, but more complex vulnerabilities may require additional information. You may submit your report under a pseudonym, but please make sure we can reach you for feedback and any questions we may have.
2. How do you avoid abusing vulnerabilities?
Avoid abusing vulnerabilities by adhering to the following guidelines:
- Do not download more data than necessary to demonstrate the vulnerability (alternatively, you can make a directory listing of a system).
- Do not make any changes to the system.
- Do not repeatedly access the system.
- Do not share the access with third parties.
- Limit the viewing of third-party data.
- Do not delete or modify any data.
- Do not employ attacks on physical security, social engineering, spam, third-party applications, distributed denial of service or other forms.
- Do not install malware.
- Do not share the vulnerability with others until it has been resolved.
- Delete all confidential data after the vulnerability has been resolved.
3. What do we do with your report?
We will send you a response as soon as possible—usually within 3 days. Our response will indicate how we will proceed with your report. We will keep you informed of our progress.
4. How will we treat you?
Your report will be treated confidentially. Your personal data is not usually shared with third parties, the exception to this being a legal obligation. When communicating about the vulnerability, we will mention your name as the discoverer (if we have your permission). If you adhere to these guidelines, we will not take any legal action on this report. In addition, we will give you €50 for your help with every legitimate report. The severity of the vulnerability and the quality of the report may lead to a higher reward.
Digital Angel Netherlands B.V. (Chamber of Commerce no. 8052626), with its registered office at 160 Reactorweg in Utrecht. This Responsible Disclosure statement is subject to change.
digitalAngel, June 2019