Responsible disclosure policy
Doccle considers it very important that its information and systems are secure. Despite our greatest concern for the security of these systems, it is possible that there is still a vulnerability.
If you have found a vulnerability in one of our systems, we would like to hear from you so that we can take measures as quickly as possible. We would like to work with you to better protect our audience and our systems.
That is why we have opted for a ‘Responsible Disclosure Policy’, so that you can inform us when you discover a vulnerability.
This Responsible Disclosure Policy applies to all Doccle systems. If you have any doubts, we ask you to contact us for clarity via security@doccle.be.
What do we ask of you?
If you discover a vulnerability in one of our systems, we ask you:
Reporting the vulnerability
- Report the vulnerability as soon as possible after discovery. Email your findings to security@doccle.be and encrypt them with our PGP key to prevent the information from falling into the wrong hands.
- Provide sufficient information to reproduce the vulnerability so that we can resolve the problem as quickly as possible. Typically, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more complex vulnerabilities may require more.
- Leave your contact details so that Doccle can contact you to work together on a safe result. Leave at least your name, email address and/or telephone number. Reporting under a pseudonym is possible, but make sure that we can contact you if we have additional questions.
- To confirm that you have acted and will continue to act in accordance with this Responsible Disclosure Policy
Rules that you must comply with
- Not to disclose the vulnerability until we have been able to correct the vulnerability. See below for possible subsequent publication.
- Not to abuse the vulnerability by unnecessarily copying, deleting, modifying or viewing data. Or, for example, by downloading more data than is necessary to demonstrate the vulnerability.
Do not apply the following actions:
- Placing malware (virus, worm, Trojan horse, etc.).
- Copying, changing or deleting data in a system.
- Making changes to the system.
- Repeatedly accessing the system or sharing access with others.
- Using automated scanning tools.
- Using so-called “brute forcing” access to systems.
- Using denial-of-service or social engineering (phishing, vishing, spam, …).
Not to use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
Delete all data obtained via the vulnerability immediately after reporting.
Not to perform any actions that could have a possible impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.
Actions under this policy must be limited to performing tests to identify potential vulnerabilities and sharing this information with Doccle.
If you wish to publish about the vulnerability after the vulnerability has been removed, we request that you notify us at least one month before publication and give us the opportunity to respond. Identifying us, directly or indirectly, in a publication is only possible after our express agreement.
What we promise
- If you have complied with the above terms of the Responsible Disclosure Policy and have not committed any other breaches, we will not take legal action against you.
- We will respond to your report within a short period of time, if possible within 10 working days, with our assessment of the report and a possible expected date for a solution.
- We will treat your report confidentially and will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation.
- We will keep you informed of the progress of solving the problem.
- We strive to resolve all problems within a short period of time.
- We may choose to ignore lower quality reports.
If you have any questions, we encourage you to direct them to security@doccle.be
If you have any doubts about the applicability of this policy, please first contact us via this email address to request explicit permission.
Applicable law: Belgian law applies to disputes relating to the application of this policy.
Duration: The rules of the policy are applicable from 19/09/2023 until they are possibly changed or canceled by Doccle. These changes or cancellations will be announced on the Doccle website and will automatically apply 30 days after their announcement.
This text is a derivative work of “Responsible Disclosure” by Floor Terra, used under a Creative Commons Naamsvermelding 3.0 licence.
Doccle also collaborates with Intigriti.com. If you are a researcher for Intigriti, we ask you to share your findings via the Intigriti platform.