Responsible Disclosure Policy
SOMI (Foundation for Market Information Research) considers it important that its information and systems are secure.
Despite our concern for the security of these systems, it may occur that there still is a vulnerability.
If you have found a vulnerability in one of our systems, please let us know so that we can take measures as quickly as possible. We would like to work with you to protect our audience and our systems in a better way.
We have therefore opted for a policy of coordinated disclosure of vulnerabilities (also known as the ‘Responsible Disclosure Policy’) so that you can inform us when you discover a vulnerability.
This Responsible Disclosure Policy applies to all VRT systems. In any case of doubt, please contact us to clarify matters via firstname.lastname@example.org
What we ask of you
If you discover a vulnerability in one of our systems, we ask you to:
- • Reporting the vulnerability
- • Report the vulnerability as soon as possible after discovery. Mail your findings to email@example.com
- o Vulnerabilities can also be reported securely via the 'reportprivacy violations' feature in the SOMI App.
- • Provide sufficient information to reproduce the vulnerability so that we can solve the problem as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but for more complex vulnerabilities more may be needed.
- • Leave your contact details, so that the SOMI can contact you to work together for a safe result. Leave at least your name, e-mail address and/or telephone number. Reporting under a pseudonym is possible, but make sure that we can contact you if we should have additional questions.
- • Confirm that you have acted and will continue to act in accordance with this Responsible Disclosure Policy.
Rules you must follow
Don’t disclose the vulnerability until we have been able to correct it. See below for possible publication.
Don’t exploit the vulnerability by unnecessarily copying, deleting, adapting or viewing data. Or, for example, by downloading more data than is necessary to demonstrate the vulnerability.
Don’t apply the following actions:
- • Placing malware (virus, worm, Trojan horse, etc.).
- • Copying, modifying or deleting data in a system.
- • Making changes to the system.
- • Repeatedly accessing the system or sharing access with others.
- • Using automated scanning tools.
- • Using the so-called "brute force" of access to systems.
- • Using denial-of-service or social engineering (phishing, vishing, spam,...).
- • Don’t use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
- • Immediately erase all data obtained through vulnerability as soon as it is reported to SOMI.
- • Don’t perform actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.
No bounties will be awarded for reports for known issues and/or reports for issues that have an environmental modified impact of ‘low’ according to the Common Vulnerability Scoring System (CVSS v3.1).
|Severity||Base Score Range||Bug Bounty|