Coordinated Vulnerability Disclosure
If you are to find a weak spot in one of the ICT systems of Guardian360 B.V. (Guardian360), we would be pleased to hear from you as soon as possible so that the necessary measures may be taken.
Guardian360 would like to work with you to secure and protect our own ICT systems even better. To that end, Guardian360 performs the following policy on dealing with reports of vulnerabilities identified by you in the IT systems of Guardian360. You may keep Guardian360 to that, at finding a weak spot in one of the systems.
We ask you:
- To mail your findings to firstname.lastname@example.org
- To give sufficient information to reproduce the problem so that Guardian360 can fix it as soon as possible. Usually the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but at more complex vulnerabilities additional information may be needed.
- To leave contact details, so that Guardian360 can contact you to collaborate on a safe result. Leave at least an email address or telephone number.
- To do the notification as soon as possible after discovery of the vulnerability.
- Not to share any information about a security problem with others until it is resolved.
- To act in a responsible matter with the knowledge about the security, by not performing actions that go beyond what is necessary to demonstrate the security problem itself.
So in any case, avoid the following:
- Placing malware.
- Copying, modifying, or deleting data in a system (an alternative to this is to create a directory listing of a system).
- Making changes in the system.
- Repeatedly obtaining access to the system or the sharing access with others.
- Making use of so-called “brute forcing” for access to the systems.
- Using denial-of-service (DoS Attacks) or social engineering (psychological manipulation of people)
What you may expect:
- If you report a vulnerability identified by you in an IT-system of Guardian360 meeting the above conditions, Guardian360 will commit no legal consequences to this message.
- Guardian360 will treat this material as confidential and does not share personal information with third parties without the consent of the detector, unless required by law or under a court order.
- Guardian360 will send you a confirmation within 3 business days.
- Guardian360 will respond within 7 business days on a message with the rating of the message and an expected date for a solution.
- Guardian360 keeps the detector informed of the progress of solving the problem.
- Guardian360 solves the security problem that you identified in the system as soon as possible but at the latest within 90 days. It can be determined by mutual agreement whether and how the problem after it has been dissolved, is published.
- Guardian360 offers a reward as a thank you for the help. Depending on the severity of the vulnerability and the quality of the message, the reward can range from a t-shirt up to an amount of 300 euros in gift vouchers. It should, however, concern a still unknown and serious security problem not known to Guardian360.