Responsible Disclosure Policy
At Forendox, we believe that the security of our systems, our network and our products is very important. We pay a lot of attention to this during development and maintenance. However, sometimes vulnerabilities escape detection. We appreciate you notifying us if you find one. We would prefer to hear about it as soon as possible so that we can take measures to protect our customers. This document describes the procedure we have prepared for this.
If you believe you’ve found a security issue in our product or service, please notify us as soon as possible by emailing us at firstname.lastname@example.org.
- Do not share information about the security problem with others until the problem is resolved.
- Provide information about how and when the vulnerability or malfunction occurs. Clearly describe how this problem can be reproduced and provide information about the method used and the time of investigation.
- Be responsible with the knowledge about the security problem. Do not perform any actions beyond those necessary to demonstrate the security problem. Do not abuse the vulnerability and do not keep confidential data obtained through the vulnerability in the system.
- Leave your contact details (email address or telephone number) if you want, so that Forendox can contact you about the assessment and progress of the vulnerability solution. We also take anonymous reports seriously.
- Do not use physical attacks, DDOS attacks or social engineering.
Our responsible disclosure policy is not an invitation to actively scan our company network for vulnerabilities. Our systems are being monitored continuously. As a result, there is a good chance that a scan will be detected and our Security Operation Center (SOC) will investigate it.
How does Forendox handle Responsible Disclosure?
When you report a suspected vulnerability in an IT system, we will deal with this in the following way:
- You will receive confirmation of receipt from Forendox within three business days after the report.
- You will receive a response within three business days after the confirmation of receipt containing an assessment of the report and the expected date of resolution. We strive to keep you informed on progress of resolution.
- Forendox will treat your report confidentially and will not share your information with third parties without your permission, unless this is required by law or by a court order.
- Forendox will determine together with you whether and how the problem is reported on. The problem will only be reported on after it has been resolved. If you wish, Forendox will mention your name as the discoverer in the reporting on the problem.
This Responsible Disclosure scheme is not intended for reporting complaints. The scheme is also not intended for:
- Reporting that the website is not available.
- Reporting fake emails (phishing emails).
- Reporting fraud.
For issues pertaining to the above and any other inquiries please get in touch with our support team.
Rewards / bug bounty
Forendox has a bug bounty scheme to encourage the reporting of problems concerning security of our systems. We make an appropriate monetary reward available for reports that actually lead to remedying a vulnerability or a change in our services. We decide whether the report is eligible, and the nature and amount of the remuneration.
Which systems/problems are excluded from bug bounty rewards?
Not all systems that are accessible under our logos fall under Forendox’s direct control. Although we also take reports regarding these systems very seriously, we cannot allow them to fall under a bug bounty scheme.
We also exclude specific problems that in our opinion do not constitute a threat outside of a laboratory set-up.
- Any software other than the website Forendox.com
- Hosting hardware and software
Excluded types of security problems
- (D)DoS attacks
- Problems that amount to self-XSS
- Error messages without sensitive data
- Reports from which software we use can be deduced
- Problems that require the use of heavily outdated operating systems, browsers or - obsolete plug ins
- Problems that are already known to us
Why did I not receive a reply?
Unfortunately we had to make the choice to no longer respond to a specific category of reports. These reports took up too much of our time. If your report falls into this category, we might not have responded to it;
- Any report that, in full or partially, is not even about our organization and/or software.
- Any report that is spammed to us, over the course of a day, week or months.
- Any report that lacks a PoC. It can be as little as a 2-step textual PoC about an actual issue.
- Any report that is copy/pasted feedback from a penetration testing suite, without you understanding the (lack of) impact.
- Any report based on best-practices that you read somewhere, but that are not relevant in this case.
- Any report that includes tricks; these reports are not your way into our network. Believe it.
To conclude this Responsible Disclosure Policy, keep in mind that we invite hacking. Please do so, but be nice. We applaud any attempt from students, hobby-hackers, professional red-teams to even crackers wanting to waste some spare time. But keep it ethical, so you do not force our hand to consider legal actions.