Our Security Policy

Warning!

We welcome and thank your good faith efforts at reporting vulnerabilities, misconfigurations, programming errors and the like in our platforms. To encourage responsible reporting, we will not take legal actions against you nor ask law enforcement to investigate you as long as you abide by these general rules:

Do not leak our information
Do neither modify nor delete our data
Do not degrade our service
No social engineering: phishing, vishing, smishing, etc., are prohibited.

In other words: don't be evil. This rules are hard rules: if you violate them, we will persecute you to the fullest extent of the law.

Framework conditions and rules

The discovery and reporting of vulnerabilities can have civil and criminal consequences. The associated risks can be reduced if you follow these rules:

Do not use vulnerability scanners that can cause denial of service between 7am and 7pm (UTC+01:00).
Do not perform social engeneering attacks.
Do not discuss the security vulnerability you have discovered with anyone other than the affected system owner.
Do not publicly disclose the vulnerability until the affected parties have been given enough time to remedy.
Once you have reported a vulnerability, do not repeatedly interact with the affected system during the coordinated disclosure process.
Do not leverage vulnerabilities to download, modify or delete any data beyond the minimum necessary actions to provide a proof of concept.
Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to provide a proof of concept.
Do not exfiltrate other users' data, use only your own account(s) for testing.
Do not attempt to gain access to a system using brute force or social engineering techniques.
Do not use denial of service attacks.
Do not install malware or viruses.
When possible, specify in your report what IP addresses you were using when you discovered the vulnerability, this will help assess potential exploitations and reducing false positive alerts.