Responsible Disclosure

At Forculus, we consider the security of our systems, network, and products to be of paramount importance. Despite our commitment to security, it's possible that a vulnerability will be discovered. If this happens, we would appreciate hearing about it as soon as possible so we can take swift action.

Weaknesses can be discovered in two ways: you accidentally encounter them during normal use of a digital environment, or you make a conscious effort to find an embedded vulnerability.

Our responsible disclosure policy is not an invitation to actively explore our company network for hidden vulnerabilities.

Regarding our products, you are cordially invited to actively search for vulnerabilities in an offline, non-production environment and report your findings to us. Out of responsibility to our customers, we do not want to encourage hacking attempts on their infrastructure. However, this also implies that we want to hear from you as soon as possible if vulnerabilities are found, so we can adequately address them.

We would like to work with you to better protect our customers and our systems.

We ask that you:

Email your discoveries as soon as possible to security@forculus.eu.

Do not abuse the vulnerability by, for example, downloading, changing, or deleting data. We always take your report seriously and investigate any suspicion of a vulnerability, even without proof.

Do not share the problem with others until it has been resolved.

Do not use attack methods or robust security measures, such as social engineering or hacking tools, such as vulnerability scanners.

Provide us with sufficient information about the problem to reproduce it, so we can resolve it as quickly as possible. The IP address of the affected system's URL and a description of the vulnerability are usually sufficient, but more complex vulnerabilities may require more information.

What we promise:

We will respond to your report within three business days with our assessment of the report and an estimated resolution date.

We will process your report and will not share your personal data with third parties without your consent. An exception is that, in the event of a report, the police and the judiciary may be summoned. We will keep you informed of the progress of resolving the problem.

In our reporting of the reported problem, we will, if you so wish, mention your name as the discoverer.

Unfortunately, it is not possible to rule out legal action against you in advance. We want to be able to consider each situation individually. We consider ourselves morally obligated to report a vulnerability if we suspect that a data vulnerability is being misused, or if you have shared knowledge of the vulnerability with others. You can rest assured that an accidental discovery in our online environment will not lead to a report.

As a thank you for your help, we offer a reward for every report of a security vulnerability not yet known to us. The size of the reward will be determined based on the severity of the vulnerability and the quality of the report.

We strive to resolve all problems as quickly as possible, keep all involved parties informed, and would like to be involved in any publication about the problem after it has been resolved.

Thanks to Floor Terra for his sample text at http://responsibledisclosure.nl/