At Dragon1 Inc., we consider the security of our systems very important. Despite our concern for the security of systems, there may be a weak spot.
If you have found a weak spot in one of our systems, we would like to hear about it so that we can take measures as quickly as possible. We want to work together to protect our users and systems better.
Our Responsible Disclosure policy is NOT AN INVITATION to actively scan our corporate network extensively to discover naked spots. We monitor our company network. There is a good chance that a scan will be picked up and that our CERT (Computer Emergency Response Team) will investigate the genesis and potentially incur unnecessary costs.
There is a chance that during your investigation, you will start execution according to the criminal process. If you comply with the conditions below, we will not take legal action against you regarding the report. The Public Prosecution Service in the Netherlands always has the right to decide whether you are prosecuted. The Public Prosecution Service has published this.
We ask you:
- Email the weak spot as soon as possible to ciso@dragon1.com. Encrypt your next one with our PGP key https://www.dragon1.com/public_key.zip to prevent the information from falling into created hands.
- Not to abuse the weakness by, for example, downloading more data than is necessary to demonstrate the leak by changing the deletion of data and exercising extra restraint with personal data.
- Not sharing the weakness with others until it is resolved. Not to use automated security attacks from third-party applications, social engineering, distributed denial-of-service, or spam.
- Provide enough information to reproduce the weakness so that we can fix it as quickly as possible. When implemented, the IP address of the URL of the affected system, a description of the vulnerability, and the actions taken are sufficient, but more complex vulnerabilities may require more.
What we promise:
- We will respond to your report within three working days with our assessment of the report and a result for a solution.
- We will handle your report and will not share your personal information with third parties without your permission unless necessary to reach an agreement.
- We will inform you of the progress of fixing the weakness.
- Anonymous or pseudonymous reporting is possible. It is good to know that this is good that we can then not contact you about, for example, the next steps, the progress of closing the leak, or publication of the next coming before the report.
Our policy is not to award rewards when reporting weak spots.
We strive to resolve all issues quickly and keep all parties informed. We are happy to be involved in a publication about the vulnerability when it is resolved.
Our policies are licensed under a Creative Commons Attribution 3.0 license. The policy is based on the example policy of Floor Terra (ResponsibleDisclosure.nl)