Responsible Disclosure
At Aqqo BV, we prioritize the security of our systems. Despite our continuous efforts to maintain system security, vulnerabilities might occasionally arise.
If you've identified a vulnerability in one of our systems, please notify us immediately so we can address the issue promptly. We value collaboration and aim to work together to better protect our customers and our infrastructure.
We kindly request:
- To email your findings to responsibledisclosure@aqqo.com. Please encrypt your findings using our PGP key to ensure that the information doesn't fall into the wrong hands.
- Not to exploit the vulnerability beyond what's required to demonstrate it, such as downloading more data than necessary, or accessing, deleting, or modifying third-party data.
- To refrain from sharing the details with others until it's resolved, and to erase all confidential data obtained through the vulnerability immediately after the issue is fixed.
- To avoid using physical security attacks, social engineering, distributed denial of service, spam, or third-party applications.
- To provide sufficient details to replicate the issue, enabling us to address it promptly. Typically, the IP address or URL of the affected system and a description of the vulnerability suffice, but more intricate vulnerabilities might require additional information.
Our commitment:
- We will acknowledge your report within 3 days, providing an assessment and an expected resolution date.
- If you've adhered to the guidelines above, we will not pursue legal actions concerning your report.
- We'll handle your report with confidentiality and won't share your personal details without your consent unless legally obligated. Reporting under a pseudonym is acceptable.
- We'll keep you updated on the progress of the issue's resolution. If desired, we can credit you as the discoverer in any related communications.
- As a token of gratitude for your assistance, we offer rewards for every valid report of a previously unknown security issue. The reward's magnitude is determined based on the severity of the vulnerability and the quality of the report, starting with a voucher worth €25.
We aim to address all issues as swiftly as possible. Additionally, we appreciate being included in any potential publication regarding the vulnerability after its resolution.
This text was written by Floor Terra and is published under a Creative Commons Attribution 3.0 license.