Responsible Disclosure
At Portbase, the security of our systems is a top priority. Despite our efforts to keep our systems secure, vulnerabilities can occur. After all, digital technologies and insights change daily. Should you discover a vulnerability in our systems, we would like to hear about it. That way we can take immediate appropriate action and ensure a safe digital environment for our customers and ourselves.
We ask you to:
- Email your findings to security@portbase.com. Secure or encrypt your findings to prevent the information from falling into the wrong hands;
- Handle the vulnerability found responsibly and not abuse it in any way, for example by not downloading more data than necessary and not viewing, deleting or modifying third-party data;
- Not to share your findings with others until it is resolved and to delete all confidential data obtained through the leak immediately after its resolution;
- Not use physical security attacks, social engineering, distributed denial of service, spam or third-party applications; and;
- Provide sufficient information to reproduce the problem so that we can resolve it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more information may be required for more complex vulnerabilities;
- Provide sufficient details for us to contact you. Please include at least your e-mail address and preferably your phone number. We will treat your personal details confidentially.
What we promise:
- Respond to your report within three (3) working days with and acknowledgment of receipt. We will respond to the content of your report within thirty (30) working days. This substantive communication will also provide insight into the expected resolution date.
- Treat your report confidentially and not share your personal data with third parties without your consent, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
- Not take any legal action against you as a result of your report if you have complied with the aforementioned conditions.
- Keep you informed about the progress of the solution, if desired.
- In reporting the reported problem, we will, if desired, mention your name as the discoverer.
- To thank you for your help, we will offer you a playful/appropriate reward for every report of a security problem not yet known to us. We determine the size of the reward based on the severity of the leak and the quality of the report.
We strive to solve all problems as quickly as possible and we would be happy to be involved in any publication about the problem after it has been solved.
This Responsible Disclosure policy is based on an example written by Floor Terra and the Responsible Disclosure Guideline of the NCSC.
© Portbase, version August 2024