Coordinated Vulnerability Disclosure

Reporting a vulnerability

We would like to hear from you if you have found a vulnerability. Please keep the following points in mind:

• Report the vulnerability as soon as possible after discovery via email to SOC [@] AEVITAE [.] COM.
• Provide us with enough information to reproduce the problem. This will allow us to resolve the issue as quickly as possible. The IP address or URL of the affected system and a description of the vulnerability will suffice in most cases. For more complex vulnerabilities additional information may be required; we may ask you to provide this.
• We ask you to include your contact details (email address or phone number) so that we can get in touch with you.
• Please do not share information about the security issue with others until we have resolved the problem.
• Handle the knowledge of the security issue responsibly. Do not perform actions beyond what is necessary to demonstrate the security issue.

If your report meets the conditions mentioned above we will not take legal action against you.

Do not exploit a vulnerability

Please don’t exploit it if you discover a vulnerability by, for example:

• installing malware;
• copying, modifying, or deleting data from a system or creating a directory listing;
• making changes to the system;
• repeatedly accessing the system or sharing access with others;
• using the system as a gateway to other systems;
• using brute force to access systems;
• performing denial-of-service attacks or using social engineering.

How we handle your report

If you have reported a vulnerability in one of our IT systems or websites, we will handle your report as follows:

• You will receive an acknowledgment of receipt within one business day.
• We will respond to your report within five business days. Our response will include an assessment of the report and an expected resolution date.
• We will keep you informed of the progress in resolving the issue.
• We will treat your report confidentially and will not share your personal information with third parties without your consent, unless legally or judicially required.

As a token of appreciation for reporting a previously unknown security issue, we offer the opportunity to be listed in our “Hall of Fame.”

Go to hall of fame

Reward

We appreciate your efforts to help keep our systems and processes secure. Therefore, we offer a suitable reward in most cases. The amount of the reward is determined based on the impact. We are not obligated to justify the reward, and we reserve the right to determine the reward and its amount entirely at our discretion.

If you are eligible for a reward, we will need your personal information to process the payment. No reward will be given if:

• Separate parties report the same vulnerability. In this case, only the first reporter is eligible for a reward.
• You reside in a sanctioned country.
• The vulnerability is already known to us.
• There is abuse or a violation of this policy.

Exclusions

We do not offer rewards for trivial or non-exploitable bugs. Below are examples of known vulnerabilities and accepted risks for which no reward will be given:

• Vulnerabilities using stolen information and credentials.
• Social engineering.
• Man-in-the-middle attacks.
• HTTP 404 codes/pages or other non-200 HTTP codes/pages.
• Fingerprinting/version banner disclosure on general/public services.
• Publicly accessible files and directories containing non-sensitive information.
• Clickjacking and related vulnerabilities.
• CSRF on forms available without a session (e.g., contact form/login form).
• Cross-Site Request Forgery on the logout function.
• Presence of “autocomplete” or “save password” functionality.
• Missing “secure” / “HttpOnly” flags on non-sensitive cookies.
• Weak or bypassable CAPTCHA implementation.
• Brute force on “Forgot Password” pages and account lockout not enforced.
• OPTIONS Method enabled.
• Username / email enumeration via brute force attempts on:
• Login error messages.
• “Forgot Password” / password error messages.
• Missing HTTP Security Headers such as:
• Strict-Transport-Security.
• X-Frame-Options.
• X-XSS-Protection.
• X-Content-Type-Options.
• Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
• SSL configuration weaknesses:
• SSL attacks that cannot be exploited externally.
• Missing SSL “Forward Secrecy.”
• Weak and insecure SSL cipher suites.
• Missing HTTP Public Key Pinning (HPKP).
• SPF, DKIM, DMARC issues.
• Host Header Injection.
• Content Spoofing / Text Injection on 404 pages.
• Reporting outdated software versions without a proof of concept or working exploit.
• Information leaks in metadata.
• Missing DNSSEC.
• Expired or inactive domains (domain takeover).
• Same Site Scripting / localhost DNS record.
• Attacks on physical properties and locations.
• Scanner output or scanner reports without a proof of concept showing that vulnerabilities can be exploited.

Vulnerabilities using stolen information and credentials.

Resolving a vulnerability

We will resolve any reported security issue as quickly as possible. Together with you we will determine if and how we will communicate about the problem. We will always do this after the issue has been resolved.

Conclusion

Aevitae may revise the responsible disclosure policy if necessary. The current policy will always be available on this page. The Dutch version of this page and policy is always leading.