We are dedicated to providing a secure environment for our customers, our visitors and ourselves. Therefore, we appreciate it if you notify us of any security issues you may encounter. Since we launched our responsible disclosure policy in 2012, we have learned that not all reported issues are useful. In order to help you, we wrote a post on Cupfighter.net about common mistakes and red herrings when reporting security issues to us.
Rules of Engagement
While we value that you give us a chance to fix a problem, we kindly request the following:
- do not abuse your finding. We really want to fix it!
- do not share your finding with other parties.
- we will assess and respond within a reasonable time frame. (we really, really want to fix things).
Anonymity or credits and publication
We understand that you may want to get credit for your finding, but we also understand that you may explicitly not. Your anonymity is guaranteed and by default, unless you explicitly request otherwise.
Given the nature of our business and the contracts with our customers we may not always be in a position to make the full details of your vulnerability public. We promise that, if you want credit, your name or alias will always accompany the details of vulnerability as we distribute them. In case we cannot make the details of the vulnerability public, we can, if desired, publish an article on cupfighter.net where we acknowledge your valuable input.
Unless you object we will include a general description of your vulnerability and your name, handle or the phrase ‘an anonymous researcher‘ in our hall of fame page.
We appreciate your findings and in exchange we offer any one of the following:
- a gift card valid on thinkgeek.com (50$) or getdigital.eu (50€)
- a donation to Room To Read
- a bottle of Champagne (you have to collect it. We have had very bad experiences with shipping it …)
We prefer contact by encrypted e-mail.
Please use our PGP public key which is publically signed on https://keybase.io/schubergphilis
Please do not send sensitive data over unencrypted/public media, like Twitter of Facebook.
Our e-mail address: firstname.lastname@example.org