Vulnerability disclosure policy

Firely vulnerability disclosure policy

Version 1.1, February 22, 2024 

Security is important for Firely and its clients. While we take great care to ensure our products and services are secure, it could still happen that someone finds a vulnerability. If you do, please let us know as soon as possible by following the steps described in this coordinated vulnerability disclosure policy

We ask you to:

  • Send your findings to us per email (security@fire.ly) as soon as possible
  • Provide sufficient information to replicate the problem, so we can fix it as soon as possible
  • Not run tests that attack via physical security, social engineering, or third-party applications
  • Not run brute force or denial of service attacks
  • Not exploit the vulnerability to, for example, change or delete data, or install malware
  • Not share the problem with others until we have fixed it, unless required by law or regulation
  • Not copy data from our systems, other than what is absolutely necessary to demonstrate the leak
  • Leave your contact data (e-mail address and phone number), so we can get in touch and work with you to fix the problem

We promise:

  • To give our initial response to your vulnerability disclosure report within 10 working days, unless your report addresses exclusions as mentioned below. In that case we might not respond to your email
  • To treat your vulnerability disclosure report confidentially: we will not share your personal information without your consent, except to the police and the judiciary if this is legally required
  • To keep you informed of our progress in solving the problem
  • If we decide to publish about the fixed vulnerability, we offer the possibility to include your name as the discoverer of the vulnerability
  • That an accidental discovery of a vulnerability will not lead to legal charges against you, as long as you play by the rules and act in the spirit of Coordinated Vulnerability Disclosure
  • While we will be eternally grateful for reported vulnerabilities, we do not (by default) give a reward. We do not want to stimulate active scanning for vulnerabilities

Exclusions:

Since our time is scarce, we ask you to:

  • Not report trivial findings for which there are no known exploits and/or for which there is no real risk involved
  • Not blindly report findings from automated vulnerability scanning tools. Take some time to understand the nature of our website / service before reporting anything

Below are some examples of findings that you should not report. If you do, please realize that we might not respond to your email.

  • Header information disclosures
  • Issues regarding security headers
  • Issues regarding the web- and mail test on Internet.nl
  • Issues regarding the server test of SSL Labs
  • Publicly accessible files or folder with non-sensitive information (like robots.txt or images)