CVD Policy energiedirect.
At energiedirect we take security seriously. Security is integrated in our organization and software lifecycle. However, despite our best efforts vulnerabilities can still find their way into our IT-environment. If you happen to find a vulnerability in one of our systems we want to hear from you and listen to what you found. That way we can look into any issues as soon as possible. This enables us to protect our customer data to the best of our abilities.
What we ask from you:
- Please email your findings to firstname.lastname@example.org.
- Do not abuse the vulnerability. Do not download more data than is strictly necessary. Do not look into, modify, or delete the data any more than needed in your investigation. Do not cause system instability or downtime when investigating your findings.
- Do not share information about the vulnerability publicly until we have remediated it.
- Please focus on technical vulnerabilities. Don’t engage energiedirect IT infrastructure through attacks on physical security, social engineering, distributed denial of service, phishing/spam or through third parties.
- Please provide us with all the information we need to reproduce the issue. This way we can fix the vulnerability as soon as possible. In most cases an IP address or URL with a short summary of the attack will suffice, but more complex vulnerabilities might require a more extensive explanation of the attack.
- Please remove any energiedirect data from your system after you have confirmed we have successfully remediated your found vulnerability.
What you can expect from us:
- We aim to respond to your email within 3 working days with our assessment of the problem and an expected date for resolving it. Depending on the criticality of the vulnerability we maintain different targets for when we will remediate them. We will let you know what our aimed remediation date for the vulnerability in question is.
- If you abide by the rules stated under “What we ask from you” we won’t take any legal action against you regarding the reported vulnerability.
- We’ll treat your notification confidentially and will not share personal data without your permission, unless required by law. You can use an alias when contacting us.
- We’ll keep you informed on the progress of resolving the findings.
- In public communication regarding the reported vulnerability we will mention you as the reporter, if you want us to do so.
- As a token of our appreciation, we want to reward you for reporting a vulnerability we did not know about yet. Depending on the severity of the reported vulnerability and the quality of the report we’ll reward you with a gift certificate of at least €50.
We want to resolve any reported vulnerability as quickly as possible and would like to be involved in any publications on the vulnerability after the report has been resolved, should you choose to do so.