At Harukey, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you nevertheless come across something that you regard as a vulnerability in one of our systems or services, please let us know straight away, so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
What we ask of you
- E-mail your findings to firstname.lastname@example.org
- In your message, be complete and provide as much information as you can, so that we have the best possible chance of reproducing and resolving the problem you have encountered. In most cases, the IP address or URL of the system in question plus an outline of the vulnerability will be enough. However, a complex issue may require a detailed description (including screenshots, log entries, etc.).
- Keep an open line of communication with us to help us address the issue as quickly as possible.
- Act responsibly with your knowledge of the security issue. Go no further than you should to in order to demonstrate the vulnerability to us. Don’t misuse the encountered security problem, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
- Destroy any confidential information that may have come into your possession.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
What can you expect from us?
- We will acknowledge the receipt of your report within 7 days.
- We will respond to your report within a short period of time, if possible, within 10 working days, with our review of the report and any expected date for resolution.
- If you have followed the instructions above, we will not take any legal action against you in regard to the report.
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
- Please note that we do not offer reward or compensation in exchange of the reporting of a potential security issue.
- We don’t object to details concerning reported issues being published under the condition that the issue has been resolved in the meantime and no longer poses a threat.
- If you have any questions, we encourage you to address them to email@example.com.
- In case of doubt about the applicability of this policy, please contact us first via this e-mail address, to ask for explicit permission.
- This policy shall be governed by the laws of Belgium. If a dispute arises regarding the application or interpretation of this policy which cannot be resolved amicably, it shall be submitted to the exclusive jurisdiction of the Courts of Antwerp.
- We reserve the right to change the content of this policy at any time, or to terminate the policy.
This text is a derivative work of “Responsible Disclosure” by Floor Terra, used under a Creative Commons Attribution license 3.0.
Responsible disclosure policy version 1.0 dated September 24th, 2021.