Responsible Disclosure Policy

Have you found a weak point? Let us know as soon as possible.

At Splendid Data we consider the security of our systems, our network and our products and customer data to be of the utmost importance. Despite our efforts for the security of our systems, there may still be a weak spot. If you have found a weak spot in one of our systems, we would be happy to hear from you so that we can take action as soon as possible.

Weaknesses can be discovered in a variety of ways: for example, by accident when using an environment, or by explicitly trying to find a weak spot.

Our responsible disclosure policy is not an “open application” for extensive active scanning of our company network for weaknesses. We monitor our network ourselves. As a result, there is a good chance that a scan will be identified, which we will investigate this and that unnecessary costs may be incurred.

You are, however, encouraged to actively search for vulnerabilities in our products in an offline non-production environment and to report your findings to us. Our responsibility to our customers means that our intention is not to encourage hacking attempts on their infrastructure; however, we would like to hear from you as quickly as possible if vulnerabilities are found, so that we can resolve them adequately.

We want to work with you to better protect you and our other customers and our systems.

We ask that you:

  • E-mail your findings as quickly as possible to security-alert@splendiddata.com.
  • Do not abuse the vulnerability; for example, by downloading, editing or deleting data. We will always take your report seriously and investigate any suspicions of vulnerability, even without proof.
  • Do not share the problem with others until it has been resolved.
  • Do not make use of attacks on physical security, of social engineering or hacking tools, such as vulnerability scanners.
  • Give adequate information for the problem to be reproduced so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability are enough, although more information might be necessary for more complex vulnerabilities.

What we promise:

  • We will respond to your report within three business days, with our evaluation of the report and an expected resolution date.
  • We will handle your report confidentially, and will not share your personal information with third parties without your permission. An exception to this is the police and judiciary in the event of prosecution or if information is demanded.
  • We will keep you informed of the progress of the solution to the problem.
  • In communication about the reported problem, we will state your name as the party that discovered the problem, if you wish.
  • It is unfortunately not possible to guarantee in advance that no legal action will be taken against you. We hope to be able to consider each situation individually. We consider ourselves morally obligated to report you if we suspect the weakness or data are being abused, or that you have shared knowledge of the weakness with others. You can rest assured that an accidental discovery in our online environment will not lead to prosecution.
  • As a token of gratitude for your help, we donate a sum of money to a charity for each report of a security problem that is as yet unknown to us. We determine the amount on the basis of the seriousness of the leak and the quality of the report. The charity is determined in consultation with you.

We strive to resolve all problems as quickly as possible, to keep all involved parties informed and we would like to be involved in any publication about the problem once it is resolved.

With thanks to Floor Terra for his sample text in English on http://responsibledisclosure.nl/