Responsible disclosure

At Shock Media, we consider the security of our systems a top priority. Despite our continuous efforts in securing our systems it is always possible that there are vulnerabilities present. If you discover a vulnerability or weak spot in the security of our systems, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to cooperate with us to help us better protect our clients and our systems.

We would like to ask you to:

  • E-mail your findings to security@shockmedia.nl. You can encrypt your findings with our PGP key to prevent this critical information from falling in the wrong hands.
  • Not to take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data. We will take every report very serious, even if you don’t provide us with ‘evidence’.
  • To delete all confidential information obtained through the breach as soon as possible after our confirmation that we were able to reproduce the issue.
  • Not to excessively scan our network or infrastructure for vulnerabilities. We have monitoring in place and will probably detect and investigate such scans, which can lead to unnecessary costs being made.
  • Not to use attacks on physical security, social engineering, phishing, distributed denial of service and not to place any malware or backdoors on our systems.
  • Treat any information about the issue as confidential and not to share this with others.
  • Provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

If you do, we promise:

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission. You can report your findings under an alias.
  • We will keep you informed of the progress towards resolving the problem.
  • If we publish any information about the problem reported, we will mention you as the reporter of the problem, unless you desire otherwise.
  • Although there is no financial reward, if you report a significant security problem that is still unknown to us, we would be happy to reward you with a small gift as a token of our gratitude.
  • If you so wish, we can also include you as reporter in our Acknowledgments.

We strive to resolve all problems as quickly as possible, and we would like to play an active role in any publication on the problem after it is resolved.

Acknowledgments

Shock Media thanks the following individuals and organizations that have identified vulnerabilities in accordance with our Responsible Disclosure Policy.

2019