Responsible Disclosure

Responsible Disclosure

At RED-IT, we consider the security of our systems to be of paramount importance. Despite our commitment to system security, vulnerabilities can still occur. If you discover a vulnerability in one of our systems, please let us know so we can take action as quickly as possible. We'd like to work with you to further protect our customers and our systems.

We ask you:

  • Please email your findings to security@red-it.nl.
  • Do not abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak or by viewing, deleting or modifying third-party data.
  • Do not share the issue with others until it is resolved and delete all confidential data obtained through the vulnerability immediately after closing the vulnerability.
  • Not to use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications, etc.
  • Provide enough information to reproduce the problem so we can resolve it as quickly as possible. The IP address or URL of the affected system and a description of the vulnerability are usually sufficient, but more information may be required for more complex vulnerabilities.

What we promise:

  • You will receive a response to your report within three business days with our assessment of the report and an expected date for a resolution.
  • We will not take legal action against you regarding the notification if you have complied with the above conditions.
  • We will treat your report confidentially and will not share your personal information with third parties without your permission, unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
  • We will keep you informed of the progress of resolving the problem.
  • In reporting the reported problem, we will, if you so desire, mention your name as the discoverer.
  • To thank you for your help, we're offering a reward for every report of a security vulnerability we haven't yet identified. The reward amount will be determined based on the severity of the vulnerability and the quality of the report.

We strive to resolve all issues as quickly as possible and we would like to be involved in any publication about the issue after it has been resolved.

The above text is based on that of responsibledisclosure.nl.