Responsible Disclosure

- or how we intend to handle reports of vulnerabilities.

The security of the Schluss systems has the highest priority. This is why we invite everyone to help us with that.

If you discover a problem in one of our systems, please do let us know as soon as possible. We will then be able to take appropriate actions immediately. Schluss will act respond to alerts in accordance with the following rules. When alerting us, you in turn also agree to these rules.

We encourage the open source community to join us in developing this platform even further.

We ask:

  1. E-mail your findings to info@schluss.org. If possible encrypt the message and send it over a secure connection to prevent the information from falling into the wrong hands.
  2. Provide sufficient information for us to be able to reproduce the problem, so we can fix it as quickly as possible. Usually the IP address or URL of the affected system and a description of the problem is enough, but with more complex vulnerabilities more information may be required.
  3. Provide you contact detail (e-mail address or telephone number) so we can get in touch with you to work together on resolving the issue.
  4. Inform us as quickly as possible after discovering the problem.

What we do after your report:

  1. We treat your report confidential and do not share your personal information with third parties without your permission, unless we are obliged to do so by law or court order.
  2. In principle, you remain anonymous. But if you wish, we can put your name as the discoverer of the reported weaknesses. We do that after mutual consultation.
  3. We will respond within 3 business days of notification with an initial assessment, and, possibly, with an expected date for a solution.
  4. We will solve reported weakness as soon as possible. We try as much as possible to keep abreast of progress and normally will solve this within 90 days.
  5. By our mutual consent we determine if and how we will publish the weakness after this has been dissolved.
  6. You might receive a reward. The reword depends on the quality and the amount of potential damages prevented as a result of your report.
  7. If you meet all conditions, we will not submit legal proceedings against you.

What is not permitted:

  1. Placing malware. Neither in our system or in that of others.
  2. To use so-called β€˜brute force’ techniques, such as repeatedly entering passwords to gain access to systems.
  3. The use of social engineering.
  4. To make information public about security weaknesses before this issue is solved.
  5. Carrying out actions that go beyond what is strictly necessary to demonstrate and report security issues, especially when it comes to processing (including accessing or copying) of confidential data which you have had access through the vulnerability.
  6. To alter or delete any information in the system. Instead of copying and entire database, it might suffice to just list a directory.
  7. The use of techniques that makes our system unavailable or inaccessible (DoS attacks).

Any abuse of our systems in any way will be punished.