Responisble Disclosure

Forculus is committed to maintaining the security and availability of its digital services. We value the work of security researchers and welcome responsible disclosure of potential vulnerabilities.

Because our services rely on trusted third-party providers, it is essential that vulnerabilities are reported to the correct organization to ensure timely and effective remediation.

This page explains what to report to Forculus directly and when to report vulnerabilities to our partners instead.

Scope

In scope for Forculus

Please report vulnerabilities directly to Forculus if they relate to:

• Content, configuration, or functionality explicitly created or managed by Forculus

• Logical or business-logic flaws in Forculus-specific services or processes

• Misconfigurations or security issues introduced by Forculus personnel

• Any security issue where responsibility clearly lies with Forculus rather than an underlying platform provider

Out of scope for Forculus (report to partners)

Forculus uses industry-standard platforms to host and operate its services. Vulnerabilities in these platforms must be reported directly to the responsible provider, not to Forculus.

Website hosting and platform

Our website is hosted on Squarespace.
All vulnerabilities related to the Squarespace platform, including but not limited to:

• Core CMS functionality

• Hosting infrastructure

• Platform-level authentication or authorization

• Squarespace-managed plugins, themes, or services

must be reported via Squarespace’s vulnerability reporting process:

https://www.squarespace.com/vulnerability-reporting

Domain registration and DNS

Our domain registration and DNS services are provided by Vimexx.
Security issues related to:

• Domain registration

• Registrar-level services

fall under Vimexx’s bug bounty and security program:

https://www.vimexx.nl/security/bug-bounty

Identity, email, and collaboration services

Forculus uses Microsoft 365 for identity management, email, and collaboration.
Vulnerabilities related to:

• Microsoft 365 services

• Azure Active Directory / Entra ID

• Exchange Online, Outlook, or Microsoft-managed authentication

must be reported directly to Microsoft through their security reporting channels.

Unsure who is responsible?

If you are genuinely uncertain whether a vulnerability falls under Forculus or one of our partners, you may submit an initial report to Forculus. We will review the submission and, if necessary, coordinate with the appropriate provider.

Please note that Forculus cannot remediate platform-level vulnerabilities in third-party services.

How to report a vulnerability to Forculus

If your finding is within scope for Forculus, please submit your report via email:

Email: security@forculus.eu

Please include:

• A clear description of the vulnerability

• Affected URL(s), system(s), or functionality

• Steps to reproduce (proof-of-concept where possible)

• Potential impact assessment

• Your contact details for follow-up

Responsible disclosure principles

We ask that all researchers adhere to standard responsible disclosure practices:

• Do not exploit vulnerabilities beyond what is necessary to demonstrate risk

• Do not access, modify, or delete data belonging to others

• Do not perform denial-of-service attacks

• Do not publicly disclose details before remediation or mutual agreement

Forculus commits to:

• Acknowledge receipt of valid reports

• Assess and address issues within a reasonable timeframe

• Coordinate responsibly with relevant partners where applicable

Recognition and discretionary rewards

At its sole discretion, Forculus may provide a reward and/or public recognition in a Forculus Hall of Fame for validated vulnerabilities that:

• Are reported directly to Forculus

• Fall within the defined scope of this policy

• Are submitted in good faith and in accordance with responsible disclosure principles

Any reward, its form, and any public recognition are entirely discretionary, non-guaranteed, and subject to Forculus’ internal assessment and policies. Submission of a vulnerability report does not create any entitlement, contractual obligation, or expectation of compensation or recognition.

Hall of Fame consent

If Forculus elects to provide public recognition, the researcher will be listed using the name, alias, or handle explicitly approved by the researcher. Participation in the Hall of Fame is optional, and researchers may decline or request removal at any time.

Forculus will not publish personal data beyond what is expressly consented to for recognition purposes.

Tax and compliance

Any discretionary reward provided by Forculus, if applicable, may be subject to tax, reporting, or compliance obligations under applicable law. Responsibility for any such obligations rests solely with the recipient. Forculus does not provide tax or legal advice.

Legal safe harbor

When conducting vulnerability research in good faith and in accordance with this policy, Forculus will not initiate legal action against researchers and will consider such activities authorized.