Responsible Disclosure

Publication date: 2024-05-01
Official Page

Responsible Disclosure

When discovering a security problem / vulnerability in one of our systems, we request that the discoverer of this problem contact us. We appreciate the careful reporting of such vulnerabilities according to the conditions below and are happy to work together so that we can take measures as quickly as possible.

We ask you to adhere to the following conditions:

  • Contact us via [email protected].
  • Use this PGP key to sign and protect your message!
  • Do not abuse or share the problem with others until it is resolved;
  • Erase any confidential data obtained immediately or at the latest after resolving the vulnerability.

Following types of potential vulnerabilities are excluded from this responsible disclosure policy:

  • Reports related to rate limits applied to any endpoint;
  • Perceived excessive volumes of sent email (e.g., mail flooding);
  • Texts in email that are processed as hyperlinks by the email client while not sent as such;
  • Login or Forgot Password page brute force and account lockout not being enforced;
  • Absence of the MTA-STS record (which is currently being worked on).

Further processing takes place as follows:

  • We will respond to the report as soon as possible, but no later than within 3 working days. If possible, we will provide our assessment and an expected date for resolution. We will keep you informed of the progress of solving the problem;
  • We will get in touch with you to safely exchange necessary details. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice, but more complex vulnerabilities may require more detailed information;
  • Vulnerabilities that apply to services provided by third parties, will be forwarded to these parties. Rewards are typically not provided by Axxemble and depend on these third parties;
  • We treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation. In reporting the reported problem, we will list your name as ’the discoverer’ if you wish;
  • When duplicate reports are received about a specific security issue, any reward will be awarded to the first person to report the security issue. We determine whether there is a double report and do not share substantive data about the reports concerned;
  • We aim to resolve all issues as quickly as possible and are happy to be involved in any publication of the issue after it has been resolved;
  • If you have complied with the above conditions, we will not take legal action against you regarding the reported security problem.

As a thank you for your efforts and support, we offer a reward for every report of a security problem unknown to us. We determine the size of the reward.

Do you have any questions? Please feel free to contact us via: [email protected] or by phone: +31(0)85 303 8429.