At VI Company, we consider the security of our systems a top priority. But no matter how much effort we put into system security, vulnerabilities could still slip through. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
In our opinion, the practice of 'responsible disclosure' is the best way to safeguard the Internet. It allows individuals to notify companies like VI Company of any security threats before going public with the information. This gives us a fighting chance to resolve the problem before the criminally-minded become aware of it.
Responsible disclosure is the industry best practice, and we recommend it as a procedure to anyone researching security vulnerabilities.
Not an invitation to actively scan our network
Our Responsible Disclosure Policy is not an invitation to actively scan our network or our systems for weaknesses. We are monitoring our company network. Therefore, we are likely to pick up your scan, which our First Response Team (FRT) will investigate, which possibly leads to unnecessary costs.
During your investigation it could be possible that you take actions that are prohibited by law. We do not advise you to do so, but if you have met the conditions in this agreement, we will not take legal action against you as VI Company. However, the Public Prosecutor always has the right to decide whether or not to prosecute you.
Rules of engagement
We are interested in hearing about security issues on our own web service. This means our customers are exempt from this scope unless explicitly stated they are not. To be eligible for a reward, note that we typically require the issue report to have some actual security impact in a realistic scenario. This does not mean you need to fully exploit issues, just provide the information you have, and we will analyze your report and draw conclusions on the impact.
There are some things we explicitly ask you not to do:
- When experimenting, please only attack test accounts you control. A proof of concept which unnecessarily involves accounts of other end users or VI Company employees may be disqualified.
- Do not test the physical security of VI Company offices, employees, equipment, etc.
- Do not test using social engineering techniques (phishing, vishing, etc.)
- Do not perform DoS or DDoS attacks.
- Do not, in any way, attack our end users or engage in trade of stolen user credentials.
- Do not abuse the found vulnerability by:
- Downloading more data than necessary
- Changing or removing data
- Sharing the vulnerability until it is resolved
Our request to you:
- Report your finding as quickly as possible by sending an e-mail to: firstname.lastname@example.org.
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- Give us a minimum of 30 days to resolve the issue before going public with the vulnerability.
What we promise:
- We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date
- If you have followed the instructions above, we will not take any legal action against you in regard to the report
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
- We will keep you informed of the progress towards resolving the problem
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise)
- As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. The minimum reward will be €75.
The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Security header issues without proof of concept.