Responsible Disclosure

 

We consider the security of our applications and the privacy of our customers to be of paramount importance. Despite our efforts and utmost dedication, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems and are happy to work with you to resolve the vulnerability as soon as possible.

Please do the following:

  •  Report security vulnerabilities (or suspicion thereof) to PXS’s security department by emailing dataprivacy [at] pxs [dot] com.
  • Do not abuse the vulnerability you have discovered, for example but not limited to, by using attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, or by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data. If this happens, we may have to pursue legal action.
  • Provide sufficient information (for example, a detailed description including IP addresses, logs, how to reproduce the vulnerability, screenshots, etc.) so we will be able to analyze and resolve as effectively as possible;
  • Do not copy, modify or delete data from or in our systems. Send us only the (minimal) data necessary to demonstrate the problem. For example, make a directory listing of files or screenshots with only the information needed to demonstrate the vulnerability.
  • Do not share knowledge about the vulnerability with others;
  • After resolution of the problem, you will immediately delete all confidential data you may have obtained during researching and reporting the vulnerability.


Our promise to you:

  • We will always take your report seriously and will investigate every suspicion of a vulnerability, even without concrete ‘evidence’;
  • We will confirm receipt of every report within 5 business days.
  • We will handle your report with strict confidentiality, and will not share your personal details to third parties without your permission unless required by law;
  • If you have followed the instructions above, we will not take any legal action against you regarding your attempts in discovering vulnerabilities;
  • We do not offer a monetary reward.

 

We strive to resolve all problems as promptly as possible.