Skip to content
You can use this document for anything

This is the template of a vulnerability disclosure policy that you can use for your vulnerability disclosure program.

The contents of the vulnerability disclosure policy are marked with CC0 1.0.

This means you can use it for any purpose, also commercially, without attribution (even though we appreciated it).

Vulnerability Disclosure Policy

As a [todo] company, we know that any system and infrastructure can be(come) vulnerable. We encourage everyone to report security vulnerabilities.
This protects us, our customers, partners and stakeholders and makes the world a little more secure.

Safe Harbour

We will not take any legal action against activities complying with this policy. If legal actions are initiated by third parties due to activities compliant with this policy, we will take actions to make it known to responsibles and/or legal authorities.

Our promise

We will review and respond to your report promptly and conduct an open dialog with you. We will provide a timeline for when we expect the vulnerability to be fixed. As a mark of recognition, we reward you with an up-to-date YubiKey for your personal use (max. one per person per year) for high or critical issues (following CVSSv3.1). We will give you credits for your findings and include you in our hall of fame if desired.

Your promise

You promise to use discovered vulnerabilities for no other purpose than reporting them to us. Vulnerabilities are reported exclusively and privately, promptly after detection. You promise to not take actions with the intention to harm us, our customers, partners, or any other stakeholder.

Scope

The scope of this vulnerability disclosure policy (VDP) includes:

  • [todo]

The following activities are prohibited:

  • Denial of service (incl resource-exhaustion, automated scanners with high loads, deleting data, fuzzing, etc)
  • Spamming
  • Social engineering (including phishing)
  • Physical access (incl entering or surveilling properties)
  • Attacking non-internet facing systems (internal networks, private IPs, workstations, etc)
  • Installing persistent backdoors

Issues without direct security impact, lack of hardening, or defense-in-depth measures are out of the scope of this VDP. This includes (but is not limited to):

  • Presence/absence of DKIM/SPF/DMARC records
  • Missing http headers (such as CSP, Permissions-Policy, etc)
  • Clickjacking
  • Missing http cookie flags
  • Information disclosure of non-sensitive contents (like robots.txt, sitemap.xml, files, directories, etc)
  • Absence of best practices
  • Self-Attacks
  • CSRF with low or no impact
  • Open ports
  • Attacks requiring pre-conditions that would be security issues per se (e.g. usage of outdated browsers, vulnerable browser plugins, weak user passwords)
  • Lookalike domains
  • Homograph attacks
  • Broken links
  • Metadata in assets (like images, PDFs, etc)
  • Theoretical attacks with no realistic exploit scenario
  • Weak SSL/TLS settings
  • Software that is out of date without proven security impact
  • Missing multi-factor authentication
  • Recently patched vulnerabilities in third-party software within two weeks after publication

Contact

Please contact us via [todo].

Thank You ❤

Thank's to all who report security vulnerabilities to us.