Square

Responsible Disclosure

At Ivengi.com, we consider the security of our systems a top priority. However, in spite of all the effort we put into system security, vulnerabilities could still be present.

If you discover a vulnerability in one of our systems, we would like to know about it, so we can take steps to address this as quickly as possible. We would like to cooperate with you in order to better protect our clients and systems.

Responsible disclosure does not give you the right to scan our network for vulnerabilities. We have commitments to our customers and expect you to refrain from degrading or interrupting our infrastructure in any way with hacking attempts.

We request you do the following:

  • Email your findings to security@ivengi.com. Encrypt your findings using our PGP key to prevent this information from falling into the wrong hands.
  • Do not take advantage of the problem you have discovered, e.g. by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying third-party data.
  • Do not share the problem with others until it has been resolved and remove all confidential data obtained through the vulnerability immediately after it has been resolved.
  • Do not make use of attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
  • Provide sufficient information so that we are able to reproduce the problem and can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability will suffice. More complex vulnerabilities, however, may require additional information.

What we promise:

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the conditions above, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality, and will not pass on your personal details to third parties without your permission, unless required to do so under legal obligations. Reporting under a pseudonym is possible.
  • We will keep you informed of the progress towards resolving the problem.
  • In any publicised information concerning the problem reported, we will attribute your name as the discoverer of the problem, should you wish for us to do so.
  • As a token of our gratitude for your assistance, we offer a reward for every report of a security problem not yet known to us. The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report. The minimum reward will be a €50 gift certificate.

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.