reshift. Responsible disclosure
You can email your findings to noc@reshift.nl. It is possible to send messages encrypted using this PGP key. A report can also be made anonymously. In that case, however, Reshift is not able to contact you for a possible reward.
Note: This email address is not for any errors you may find on a website such as a missing page or a text that is incorrect.
Rules
We ask you to adhere to the following rules:
• Provide as detailed a description of the vulnerability as possible, including log files if possible.
• Please leave your contact information so we can contact you about a possible solution more quickly.
• We will send you an acknowledgement of receipt as quickly as possible, as well as the time frame in which we expect to resolve any leak. The report will be kept confidential, and we will keep you up to date of the progress regarding the problem.
• One of our developers may get in touch with you for any follow up questions.
• Please handle the vulnerability carefully by not publishing it prematurely, by not placing backdoors, by not performing brute-force attacks to our servers or removing or copying any data. If you do, Reshift may report abuse.
• Do not use brute-force techniques or social engineering
• Do not change any data or settings on our systems
Publication
We ask that you do not publish anything regarding the vulnerability until our developers have solved the issue. After that, feel free to post a vulnerability on your blog or website.
In addition, Reshift is happy to place your name in our Hall of Fame of everyone who has helped resolve a vulnerability.
Reward
We are grateful to everyone who helps us resolve vulnerabilities in our systems, and are happy to hand out a reward. However, Reshift is under no obligation to hand out a reward.
Vulnerabilities that Reshift will consider a reward for are:
• Cross-site scripting
• SQL injection
• Encryption issues
• Data breaches relating to user data
The reward is determined by the publisher in consultation with our developers, and will be issued after the breach has been resolved. Every report (including those for which we do not consider a reward) will be published in our ‘Hall of Fame’, unless the reporter objects.