Responsible disclosure and
Bounty program

Our policy is not an invitation to extensively actively scan our network or systems for vulnerabilities. We also monitor our company network ourselves. As a result, there is a good chance that we will pick up your scan, that our security team will investigate, which may lead to unnecessary costs.

It is possible that during your research you will carry out acts that are punishable under criminal law. If you have complied with the conditions below, we will not take legal action against you. However, the Public Prosecution Service always has the right to decide for itself whether to prosecute you.

The following operations are prohibited and we will not respond to reports when these methods are used.

• Using automated tools for huge scans – tests performed for the purpose of security research can’t have a negative impact on our infrastructure and websites. This kind of test might be treated as a DOS attack and we may take actions to block this type of traffic and prevent the situation from recurring.
• Sharing information about vulnerabilities with people not authorized by Dotlab.
• Performing actions that may negatively affect Dotlab or websites developed by Dotlab (e.g. SPAM).
• Any form of physical attack on IT infrastructure and/or corporate personnel.
• Social engineering – i.e. phishing, vishing, smishing on any of the websites.
• Exfiltrating data – tests should be performed on the minimum amount of data needed to confirm the vulnerability.
• Violating any applicable laws or violating applicable agreements to discover vulnerabilities.

• Vulnerabilities affecting users of outdated or unsupported browsers or platforms
• Cross-site scripting bugs that require an unbelievable amount of user interaction
• Cross-site request forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Missing (RE)CAPTCHA
• Password complexity or account recovery policy
• HTTPS mixed content
• Issues with no clearly identified security impact
• Global Security Headers
• Invalid or missing SPF, DKIM, DMARC records
• Weak SSL/TLS cipher suites
• Sending vulnerability reports using automated tools without validation
• Using a known-vulnerable library with no evidence of abuse
• Attacks that require physical access to an unlocked user device
• Reports of SPAM, phishing or security best practices
• Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors)
• Missing cookie flags on non-sensitive cookies
• Users with superuser privileges who post JavaScript at random (e.g. via the Tag Manager module)
• Path disclosure
• Vulnerabilities already known and reported by other security researchers

• Report your findings as soon as possible using the form below. Encrypt your findings to prevent the information from falling into the wrong hands.
• Do not abuse the founded vulnerability by, for example, downloading more data than is necessary to demonstrate the leak and/or change or delete the data.
• Be extra careful with personal data.
• Do not share the vulnerability with others until it is fixed.
• Do not use attacks against physical security or third-party applications, social engineering, (distributed) denial-of-service, malware, or spam.
• Provide enough information to reproduce the vulnerability so that we can fix it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability and the actions taken are sufficient, but more complex vulnerabilities may require more.

Please contact us via the form at the bottom of this page with a description of the steps required to reproduce the problem.

Provide a detailed summary of the vulnerability, including:

• Type of issue
• Date and time when the bug was detected
• Product, version and configuration of software or asset containing the bug
• Step-by-step instructions to reproduce the issue (proof of concept)
• Website/URL of the websites where the vulnerability was found
• Impact of the issue
• Suggested mitigation or remediation actions
• PayPal account for transferring the bounty amount

Remark: When a security issue is already reported the bounty will be assigned to the person who reported it first. All reports of the same issue after the first report will have no bounty attached

• Placing malware.
• Copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system).
• Making changes to the system.
• Accessing the system repeatedly or sharing access with others.
• Making use of so-called “brute-forcing” access to systems.
• Using denial-of-service or social engineering.

• We will respond within 3 working days with our assessment of the report and an expected date for a solution.
• We treat your report confidentially and will not share your personal information with third parties without your permission, unless this is necessary to comply with a legal obligation.
• We will keep you informed of the progress of resolving the vulnerability.
• You can report anonymously or under a pseudonym. However, we will then not be able to contact you about, for example, the next steps, the progress of closing the leak, publication or any reward for the report.
• In reporting about the reported vulnerability, we will, if you wish, mention your name as the discoverer of the vulnerability.
• We aim to resolve all issues as quickly as possible and keep all parties involved informed. We are happy to be involved in any publication about the vulnerability after it has been resolved.
• We can give you a reward as a thank you for your help and research, but are not obliged to do so.

We are happy to work with you to better protect our users and systems!

Rewards are based on the severity of the bug. Below are examples of issues that qualify for each severity level type.

Critical: $120
Example issues that qualify as critical:

• Remote Code Execution.
• Privilege escalation.

High: $80
Example issues that qualify as high:

• SQL injection.
• CSRF.
• XSS without user interaction.
• Customer data disclosure.

Medium: $40
Example problem that qualifies as a medium:

• XSS with user interaction.
• Sending spam using the forms on the website.

Low: $0

• We do not pay a bounty for minor problems.

Bounties are paid via PayPal. Severity can be calculated using the CVSS (base score) calculator. More information can be found here . All bounties are paid within 5 working days from the moment a response is sent about the reported vulnerability.