Responsible disclosure
At FORCYD we find the safety of our systems, our network and our products very important. Although we pay a lot of care to security, it can happen that a weak spot is detected. If that is the case, we would like to hear this as soon as possible, so that we can take action quickly.
Weaknesses can be discovered in two ways: you accidentally run into something with the normal use of a digital environment, or you explicitly do your best to find a weak spot. Our responsible disclosure policy is not an invitation to actively scan our company network for weak spots. We monitor our network ourselves. As a result, there is a good chance that a scan will be picked up, that our Security Operation Center (SOC) will investigate this, and that unnecessary costs may be incurred. As far as our products are concerned, you are cordially invited to actively look for vulnerabilities in an offline and non-production environment and to report your findings to us. From accountability to our customers, we do not want to call for hacking attempts on their infrastructure. However, here too, we want to hear from you as soon as possible as vulnerabilities are found so that we can rectify them adequately. We would like to work with you to better protect our customers and our systems.
WE ASK YOU
- Send your findings as quickly as possible to responsibledisclosure@forcyd.com, please secure your communications with our PGP Key (Fingerprint: C569 7486 1AD5 E1E0 9FD5 C158 13BC 0557 8803 0BFD).
- Do not misuse the weakness by, for example, downloading, changing, or deleting data. We always take your report seriously and investigate any suspicion of a vulnerability, even without ‘proof’.
- Do not share the problem with others until it is resolved.
- Do not use attacks on physical security, social engineering, or hacking tools, such as vulnerability scanners.
- Give us enough information to reproduce the problem so that we can solve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability are sufficient, but more complex vulnerabilities may require more.
- Please note that we consider our corporate WordPress website (hosted at forcyd.com) to be out of scope. In addition, third-party (SaaS) applications on our domain(s) that are not managed by us are also out of scope for a bounty. However, we welcome reports of vulnerabilities.
WE PROMISE YOU
- We will respond to your report within three working days with our assessment of the report and an expected date for a solution.
- We will treat your report confidentially and will not share your personal information with third parties without your consent. An exception to this is the police and judiciary, in case of declaration or if data are claimed.
- We will keep you informed of the progress of the problem.
- In reporting on the reported problem we will, if you wish, mention your name as the discoverer.
- Unfortunately, it is not possible to exclude legal action against you in advance. We want to be able to weigh each situation separately. We consider ourselves morally obliged to report at the moment that we suspect that the weakness or data are being abused, or that you have shared knowledge about the weakness with others. You can count on it that an accidental discovery in our online environment will not lead to a report.
- As a thank you for your help, we offer a reward for every report of an unknown security problem. We determine the size of the remuneration on the basis of the severity of the leak and the quality of the report.
We strive to solve all problems as quickly as possible and keep all parties involved informed and we are happy to be involved in any publication about the problem after it has been resolved.
HALL OF THANKS
At this time, no individual or organisation has been added to our Hall of Thanks.
This webpage has been updated in April 2024.