<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Free Quickscan →
Cybersprint Digital Risk Protection Platform

The Cybersprint Platform

We’ve developed a unique Digital Risk Protection SaaS-platform that works 24/7 as an automated ethical hacker, continuously in search of online vulnerabilities. Read more

Cybersprint provides realtime insights

Make the world more cyber-secure

Cybersprint protects organisations by providing real-time insights into their online footprint. Read more

close

Cybersprint’s goal is to make the world more cyber-secure. Naturally, we strive towards a high level of security for our own systems and online presence. However, it can occur that Cybersprint’s systems contain a weak spot.

If you have found a potential security vulnerability in one of Cybersprint’s systems or domains, that’s actually something we value, and would like to thank you for bringing it to our attention. That’s why we have set up our responsible disclosure process as described below. Thanks to your finding, we can co-operate with you to take the necessary measures and mitigate the vulnerability.

 

We kindly ask you to:

  • Email your finding to soc [at] cybersprint.com as quick as possible, including every step to identify and reproduce the vulnerability;
  • Provide us with full details of the security issue, including the IP address or the URL of the affected system or domain, and if possible a Proof of Concept;
  • Leave your contact details so we can contact you to cooperate towards a safe result. This could be an email address or a telephone number;
  • Do not disclose the vulnerability with others without our permission/approval.
  • Handle knowledge on the vulnerability with care. Please do not perform any acts other than those necessary to reveal the vulnerability to us.

For the security of our systems, and to secure the service we provide to our customers, we ask you to please take note of the following:

  • Do not cause damage and create unnecessary security risks;
  • Do not install, copy, change or delete anything on a system;
  • Do not use ’brute force’ to access a system;
  • Do not use social engineering to gain access to a system;
  • Do not publish any sensitive data including customer and/or infrastructure data found in your research;
  • Do not disrupt online services;
  • Do not install a backdoor in the system, not even for the purpose of showing the vulnerability. Inserting a backdoor will cause even more damage to our systems;
  • Do not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, do not share this gained access with others;
  • Do not make any changes to or delete data from the system. If your finding requires you to copy the data from the system, do not copy more data than necessary. If one record will suffice, do not copy any more.

What to report

Examples of vulnerabilities could be:

  • Authentication bypass, unauthorised data access;
  • Remote code execution;
  • SQL injection;
  • Cross Site scripting (XSS);
  • Cross Site Request Forgery (CSRF).

The following cases are excluded from this responsible disclosure programme. Please do not report:

  • Our policies on presence or absence of SPF/DKIM/DMARC records;
  • Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only on pages behind logon);
  • Redirection from HTTP to HTTPS;
  • HTML does not specify charset;
  • HTML uses unrecognised charset;
  • Cookie without HttpOnly flag set;
  • Absence of using HTTP Strict Transport Security (HSTS);
  • Clickjacking or the non-existence of X-Frame-Options on non-logon pages;
  • Server or third-party application version revealed and possibly outdated without Proof of Concept on the exploitation;
  • Reports of unsecured SSL/TLS ciphers and other misconfigurations;
  • Generic vulnerabilities related to software or protocols not under control of Cybersprint;
  • Distributed Denial of Service Attacks;
  • Spam or Social Engineering techniques; 
  • Reports of regular scans like Port scanners.

 

What you can expect from us

  • First of all, we will handle all reports confidentially and will not share your personal details with third parties without your permission - unless this is mandatory by judicial decision. 
  • We will respond to your report within three working days with an assessment of the report and an expected date for a solution. 
  • We will resolve the observed security issue as quickly as possible and keep you up-to-date. 
  • We will determine in (mutual consultation) whether and in what way the issue will be published after it has been resolved. 
  • We will offer a reward based on:
    •  If you are the first reporter;
    • The severity of the vulnerability;
    • The possibility of exploitation.
  • We reserve the right to consider the vulnerability as an accepted risk and not resolve it.

 

Your privacy

We will only use your personal information to get in contact with you and to undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission, unless we are required to do so by law, or if an external organisation takes over the investigation of your reported vulnerability.

 

More information

This is not an invitation to actively start scanning or hack us. If you happen to find something (by accident), we would like to know as soon as possible on soc [at] cybersprint.com.

You may use our PGP key to encrypt sensitive information that you send by email. 

Do you have a question?

Our experts have the answers

Contact us