At Grasple, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
Please do the following:
- E-mail your findings to firstname.lastname@example.org. Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system(s) and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- Achieve a proof of concept and stop there. Report this proof of concept to us and do not exploit the proof of concept further to gain access to and/or extract (sensitive) data or information.
- Use your own test account(s) for the proof of concept. Do not use accounts of others.
- Do not take advantage of the vulnerability or problem you have discovered, also not for demonstrating the vulnerability. For example do not download sensitive data (of others) to demonstrate the vulnerability or deleting or modifying other user’s data.
- Do not reveal the problem to others, we will do so if needed/required (see last point in “What we promise”).
- Do not use the following attacks
- physical security
- social engineering
- (distributed) denial of service
- applications of third parties.
- Usage of scanners is not allowed. Scripting is allowed, but only with a normal request count comparable to a normal user using the interface/endpoints. Otherwise we treat it as a DoS attack which is not allowed.
- If you want to use a scanner or high intensity script, please contact us as email@example.com. We are open to discuss usage at predefined times.
What we promise:
- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
- If you have followed the instructions above, we will not take any legal action against you in regard to the report. We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
- Since we are a small social enterprise our budget is limited. But as token of appreciation we do have (symbolic) small monetary rewards for issue reports.
- We offer a (symbolic) small monetary reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report.
- We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
- We aim to reveal as much information as possible to the public about the exploit or vulnerability. However, this is done taking into consideration the (legal) agreements with our customers. We will control the flow of information to the public.
The program covers any exploitable vulnerability that
- can compromise integrity of our user data;
- disclose sensitive information (for example: remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft or bypass, clickjacking);
Make sure your submission report includes
- the proof of concept and replication information
- if possible (without violating this policy) a proof of concept of an exploit using the reported vulnerability
We exclude (for now) the following from this policy and thus the bug bounty program:
- This is not a BETA test program. Cosmetic bugs, UX issues, product crashes that can’t be exploited will not qualify.
- (D)DoS vulnerabilities are not considered at this time. We will reconsider these in the future but are excluded from this program at the moment.
- Social Engineering attacks.
- Physical security Attacks.
- Vulnerabilities in the applications of third parties which do not lead to an exploitable vulnerability in our platform
We encourage you to send your submissions in an encrypted format to firstname.lastname@example.org
We prefer PGP and you can import our public key from here. Make sure your report includes:
- A clear and relevant title
- Affected product / service
- Vulnerability details and impact
- Reproduction steps / Proof of Concept
We use known vulnerability ratings, such as the Vulnerability Rating Taxonomy of Bugcrowd, in combination with our own impact assessment to determine the severity of the vulnerability and the associated reward.
The rewards are in the following ranges per severity rating.
- P1: 700 - 1000 euro
- P2: 400 - 700 euro
- P3: 200 - 400 euro
- P4: 100 - 200 euro
- P5: 0 - 100 euro
Questions and feedback
Regarding questions or feedback related to this Responsible Disclosure policy, you can contact us via email: