Responsible disclosure guidelines
English version: https://www.clonable.net/.well-known/responsible-disclosure.txt
At Clonable we consider the security of our systems very important. Despite our care for the security of our systems, it can happen that there is a weak spot.
If you have found a weakness in one of our systems we would like to hear about it so that we can take measures as quickly as possible. We would like to work with you to better protect our customers and our systems.
We ask you:
- Email your findings to security@clonable.net,
- Do not report missing best practices (such as no hsts, missing security headers) unless they pose a real, demonstrable and significant risk,
- Not to exploit the problem by, for example, downloading more data than is necessary to demonstrate the leak or by accessing, deleting or modifying data of third parties
- Do not share the problem with others until it is fixed and delete all confidential data obtained through the leak immediately after the leak is fixed,
- Not use physical security attacks, social engineering, distributed denial of service, spam, or third-party applications; and
- Provide sufficient information to reproduce the problem so that we can resolve it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but for more complex vulnerabilities, more may be required.
What we promise:
- We will respond to your report within 5 business days with our assessment of the report and an expected date for resolution,
- If you have complied with the above conditions, we will not take any legal action against you regarding the report,
- We will treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation. It is possible to report under a pseudonym,
- We will keep you informed of the progress in solving the problem,
- In reporting the reported problem, we will, if you wish, include your name as the discoverer; and
- As a thank you for your help, we offer to add your name to our "hall of fame" for every report of a security problem not yet known to us. Depending on the size of the problem and the quality of the report, your name may contain a link of your choice.