Last modified 23.07.2021
At Marvia, we consider the security of our software a top priority. No matter how much effort we put into system security, there still can be vulnerabilities present. This document details our stance on reported security problems. If you discover a vulnerability, we would like you to inform us so we can take appropriate action as quickly as possible.
- Email your findings to email@example.com. You can encrypt your emails using this PGP key to prevent this critical information from falling into the wrong hands;
- Do not take advantage of the vulnerability or problem you have discovered. For example, downloading more data than necessary to demonstrate the vulnerability or modifying or deleting data;
- Do not reveal the problem to others until it has been resolved. We take all reports extremely seriously and will get back to you as soon as possible;
- Do not use attacks on physical security, social engineering, (distributed) denial of service, spam, or applications of third parties;
- Provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.
- We respond to your report within 3 business days;
- We respond with our evaluation within 7 business days;
- If you followed the instructions above, we will not take legal action against you in regard to your report;
- We will handle your report with strict confidentiality and will never pass on your personal details to third parties without your permission;
- We will keep you informed of the progress towards resolving the problem.
Marvia appreciated your help in keeping our software safe. Depending on the vulnerability being reported, we may offer a reward. Typical rewards are bounties up to 100 euros for low severity vulnerabilities and higher bounty amounts for more severe issues. The specific reward is at our discretion. We will not reward a bounty for vulnerabilities that:
- Are already known to us
- Cannot be proven to be exploitable
- Were found in a manner not conforming to these guidelines
- Services that are out of scope. These include, but are not limited to:
- Are unconfirmed reports from automatic vulnerability scanners
- Are related to rate limits or brute force attacks
- Only demonstrate the ability to infer versions of software that we run (banner grabbing)
We will pay out bounties to any individual permissible under Dutch law. Bounties will always be paid out to a single individual and not to a group of people.
This policy was adapted from Floor Terra’s example policy from https://responsibledisclosure.nl