Include as much information as possible, because that will help us reproduce the problem and put it right. We'd ideally like to have a description of what you discovered, complete with IP addresses, logs, screenshots and so on.
Please include your contact details (phone number or e-mail address), so that we can get in touch if we need to know more.
Other important points
Don't tell anyone what you found.
Destroy any data you've stumbled on.
Don't go deeper into our systems than you need to in order to show that there's a problem.
Don't abuse a vulnerability you've discovered. If you do, we'll inform the police.
What you do not need to report:
Social Engineering.
Resource exhaustion / (Distributed) Denial of Service.
Physical Access Testing
Situations that cannot be reproduced;Exploits that are not validated with a second tool/method, i.e. wrong result in tool A, right result in tool B
Cosmetical level issues, i.e. this does not look good in browser A (You can drop us a line at contact@gobase.net)
Situations where the problem lies on user (awareness) level, i.e. can be exploited when the workplace is left unprotected, click or keypress combo's.
Simple fingerprinting or version listings on OS, services or ports.
Reporting of publicly available files that contain public information
Secure/HTTP-only flag missing on cookies containing public information only
TLS misconfiguration without a proof of concept to exploit the weakness
Incomplete or missing SPF, DKIM or DMARC records
Services running at thirdparty service providers (verify their responsible disclosure statement on beforehand)
E-mail addresses found at a third party data breach
Publicly disclosed vulnerabilities, patched within the last 2 weeks
URL redirection (to a valid webpage).
Known issues
There are also problems that are already aware of and that we are working on or that we recognise as accepted risks. These problems are not mentioned on the website. Our support team is aware of them and will report them. As a result, the issue will not be dealt with.
What we'll do
We'll e-mail you within one working day, confirming receipt of your report.
Within five working days, we'll respond to the substance of your report and tell you when the issue will be resolved. Weaknesses are fixed as soon as possible and certainly within three months.
We'll keep you updated about progress with fixing the issue.
With your help, we'll decide whether information about the issue should be published. We'll name you as the person who discovered the problem only if you want us to.
