Here at Blik, security of our systems is one of our top priorities. Despite our care and attention, it may happen that one of our systems is vulnerable unbeknownst to us. If you do happen to find a security weakness in one of our systems, we would like you to report this to us as soon as possible, so we can fix it. We are eager to cooperate with you to better protect our customers and their data.
What we ask
- To e-mail your findings to email@example.com;
- To not abuse the vulnerability, for example by downloading more data than necessary to demonstrate the problem, or deleting or modifying our data. If, for example, you gain access to our database, just downloading and showing us 1 row of data will be enough;
- To not disclose the vulnerability with other parties until we have fixed the issue;
- To permanently delete all copies of any data obtained through the vulnerability as soon as it has been fixed;
- To abstain from using attacks on physical security, using social engineering, distributed denial of service, spam or third-party applications;
- To give us enough information to reproduce and fix the vulnerability. Usually the IP-address or URL of the affected system, and a description of the vulnerability is enough. With more complex vulnerabilities, more information may be needed.
What we promise
- We will respond within 3 working days with our evaluation of your report, and if applicable, an expected date on which the issue will have been fixed;
- If you have adhered to these terms, we will not take legal action against you;
- We will treat your report confidentially and will not share your personal information with third parties without your permission, unless doing so is necessary to fulfill a legal obligation. Reporting under a pseudonym is allowed;
- We will keep you posted on our progress in solving the issue;
- In any reporting about the problem, if you so desire, we will mention your name as the discoverer of the problem, and;
- As thanks for your aid in making our system more secure, we offer a reward for any vulnerability that we did not know about yet, and that can directly lead to unauthorized access to one of our systems.
We strive to solve any security vulnerabilities as quickly as possible, and would like to be involved in any publications regarding those, after they have been solved.
Thanks to Floor Terra and his example text at https://responsibledisclosure.nl