We consider the security of our applications and the privacy of our customers of paramount importance. Despite all care and dedication, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems and are happy to work with you to resolve the vulnerability as soon as possible.
To prevent a potential vulnerability being abused by others, we ask you use the following guidelines:
- Report security vulnerabilities (or suspicion thereof) to PXS’s security department by emailing firstname.lastname@example.org. You can report anonymously or use a pseudonym;
- Provide sufficient information (for example, a detailed description including IP addresses, logs, how to reproduce the vulnerability, screenshots, etc.) so we will be able to analyse and resolve as effectively as possible;
- Do not share knowledge about the vulnerability with others, until this problem has been resolved;
- Do not abuse the vulnerability you have discovered, for example but not limited to, by using attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, or by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data. If this happens, we may have to pursue legal action.
- After resolution of the problem, you will immediately delete all confidential data you obtained during researching and reporting the vulnerability.
Our promise to you:
- We will always take your report seriously and will investigate every suspicion of a vulnerability, even without ‘evidence’;
- We will confirm receipt of your report within 1 business day. We will inform you of our analysis and update you on further actions within 3 business days;
- We will handle your report with strict confidentiality, and will not pass on your personal details to third parties without your permission;
- When it comes to major unknown vulnerabilities, we want to give you the credits you deserve. We will address:
- a possible coordinated publication of the vulnerability
- mentioning your name as the discoverer of the problem in publications (unless you desire otherwise)
- a possible reward, based on the severity of the leak and the quality of the report;
- If you have followed the instructions above, we will not take any legal action against you regarding your attempts in discovering vulnerabilities.