Responsible Disclosure Policy
As a hosting provider, we consider the security of our systems and those of our customers highly important. In spite of our concern for the security of these systems, it may nevertheless happen that a weak spot exists.
If you have found a weak spot in one of the ICT systems within our network, we would like to hear about this from you, so the necessary measures can be taken as quickly as possible to rectify the vulnerability. We collaborate with you in order to better protect our customers and our systems.
We ask you to:
- E-mail your findings to firstname.lastname@example.org.
- Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem.
- Do not share the information on the security problem with others until the problem has been solved.
- Do not utilize attacks on physical security, social engineering, distributed denial of service attacks, spam or third party applications.
- Report the vulnerability as quickly as possible after its discovery.
- Provide sufficient information to reproduce the problem so that we can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities.
We only accept reports for actual vulnerabilities in our services. We consider the following issues as serious vulnerabilities:
- Access to our customers’ data which should not be accessible.
- Access to our ICT systems or our customers’ services which should not be accessible.
- Methods which can threaten the availability of our ICT systems or our customers’ services.
What we do not consider vulnerabilities or good reports:
- Output of automated scanning tools indicating a possible problem, we do these scans ourselves. We expect human edited vulnerability reports.
- Visibility of names and versions of software, services and systems we use. We do not believe in security through obscurity.
What you can expect from us:
- We respond within three working days to a report with an assessment of the report and an expected date for a solution.
- If you comply with the conditions above when reporting the observed vulnerability in one of our ICT systems, we will not attach any legal consequences to this report.
- We will handle a report confidentially and will not share personal details with third parties without permission from the reporter, unless this is mandatory by virtue of a judicial decision.
- We will keep the reporter up-to-date on the progress made with solving the problem.
- In mutual consultation, we can, if you desire, mention your name or acronym as the discoverer of the reported vulnerability on our wall of fame.
- We offer a reward (like a kick ass Fuga hoody or Fuga credit on our platform) as thanks for reporting a security problem that is unknown to us. The reward offered varies, depending on the seriousness of the security problem and the quality of the report.
We strive to resolve any security problems as quickly as possible and we like to be involved in any publication about the problem after it has been resolved.