Responsible disclosure policy

What do we ask of you?

If you discover a vulnerability in one of our systems, we ask you:

Reporting the vulnerability

• Report the vulnerability as soon as possible after discovery. Email your findings to security@doccle.be and encrypt them with our PGP key to prevent the information from falling into the wrong hands.
• Provide sufficient information to reproduce the vulnerability so that we can resolve the problem as quickly as possible. Typically, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more complex vulnerabilities may require more.
• Leave your contact details so that Doccle can contact you to work together on a safe result. Leave at least your name, email address and/or telephone number. Reporting under a pseudonym is possible, but make sure that we can contact you if we have additional questions.
• To confirm that you have acted and will continue to act in accordance with this Responsible Disclosure Policy

Rules that you must comply with

• Not to disclose the vulnerability until we have been able to correct the vulnerability. See below for possible subsequent publication.
• Not to abuse the vulnerability by unnecessarily copying, deleting, modifying or viewing data. Or, for example, by downloading more data than is necessary to demonstrate the vulnerability.

Do not apply the following actions:

• Placing malware (virus, worm, Trojan horse, etc.).
• Copying, changing or deleting data in a system.
• Making changes to the system.
• Repeatedly accessing the system or sharing access with others.
• Using automated scanning tools.
• Using so-called “brute forcing” access to systems.
• Using denial-of-service or social engineering (phishing, vishing, spam, …).

Not to use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.

Delete all data obtained via the vulnerability immediately after reporting.

Not to perform any actions that could have a possible impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.

Actions under this policy must be limited to performing tests to identify potential vulnerabilities and sharing this information with Doccle.

If you wish to publish about the vulnerability after the vulnerability has been removed, we request that you notify us at least one month before publication and give us the opportunity to respond. Identifying us, directly or indirectly, in a publication is only possible after our express agreement.

What we promise

• If you have complied with the above terms of the Responsible Disclosure Policy and have not committed any other breaches, we will not take legal action against you.
• We will respond to your report within a short period of time, if possible within 10 working days, with our assessment of the report and a possible expected date for a solution.
• We will treat your report confidentially and will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation.
• We will keep you informed of the progress of solving the problem.
• We strive to resolve all problems within a short period of time.
• We may choose to ignore lower quality reports.

If you have any questions, we encourage you to direct them to security@doccle.be

If you have any doubts about the applicability of this policy, please first contact us via this email address to request explicit permission.

Applicable law: Belgian law applies to disputes relating to the application of this policy.

Duration: The rules of the policy are applicable from 19/09/2023 until they are possibly changed or canceled by Doccle. These changes or cancellations will be announced on the Doccle website and will automatically apply 30 days after their announcement.

This text is a derivative work of “Responsible Disclosure” by Floor Terra, used under a  Creative Commons Naamsvermelding 3.0 licence.