Responsible Disclosure Policy Endouble
Endouble is dedicated to protecting the security and privacy of our clients, visitors and users of systems and services provided by us. We are committed to working with security researchers and reviewing all their reports concerning possible vulnerabilities. The program of Responsible Disclosure allows us to minimise the risk of vulnerabilities, and is a part of a process of continuous improvement of our services.
If you, as a security researcher, comply with the guidelines provided in this Responsible Disclosure policy, Endouble will not take legal action against you.
Do not disrupt or degrade our services (e.g. DoS).
Avoid accessing, modifying or removing data that belong to Endouble or our clients.
Please include details of the vulnerabilities in your report, as well as the steps required for us to reproduce them, and Proof of Concept (PoC) if possible.
In case you managed to get access to confidential information from Endouble or their clients, especially Personally Identifiable Information (PII), do not share it with any third party and report the access to PII to Endouble.
Vulnerabilities in scope:
Below you will find a list of vulnerabilities that we find most important for our products and services. That does not mean we will not review reports that provide us with information about other types of vulnerabilities, but these will most probably be assigned much lower priority.
Also please remember that all attempts of Social Engineering (SE) are completely out of scope. Please refrain from sending us phishing emails, or placing phone calls that use SE techniques on our employees or clients.
We are interested in:
- – Sensitive data exposure
- – Cross-site request forgery (CSRF/XSRF)
- – Cross-site scripting (XSS)
- – Authentication bypass
- – Remote code execution
- – SQL Injection
- – Privilege escalation
Please allow us a reasonable time frame to fix the disclosed vulnerabilities before publicly discussing or revealing information about them.
The best way to contact us is to send us an email at firstname.lastname@example.org.
If you would like to attach any confidential information (e.g. credentials, PoC’s, personal information) it is very important that you use the Endouble PGP key to encrypt all correspondence with us. Just remember to share your public key first!
If you don’t want to use PGP, please contact us first to establish a secure channel of communication before sending us any confidential information via plaintext email.
If you would like to hear back from us please provide us with your name (company name) and contact information together with your report.