Disclosure Policy

We pay a lot of attention to development and maintenance. However, sometimes vulnerabilities escape detection.

We appreciate you notifying us if you find one. We would prefer to hear about it as soon as possible so that we can take measures to protect our customers.

Reporting

If you believe you’ve found a security issue in our product or service, please notify us as soon as possible.

  • Do not share information about the security problem with others until the problem is resolved.
  • Provide information about how and when the vulnerability or malfunction occurs. Clearly describe how this problem can be reproduced and provide information about the method used and the time of the investigation.
  • Be responsible with the knowledge about the security problem. Do not perform any actions beyond those necessary to demonstrate the security problem. Do not abuse the vulnerability and do not keep confidential data obtained through the vulnerability in the system.
  • Leave your contact details (e-mail address or telephone number) if you want, so that we can contact you about the assessment and progress of the vulnerability solution. We also take anonymous reports seriously.
  • Do not use physical attacks, DDOS attacks, or social engineering.

Rules

  • Do not share information about the security problem with others until the problem is resolved.
  • Provide information about how and when the vulnerability or malfunction occurs. Clearly describe how this problem can be reproduced and provide information about the method used and the time of the investigation.
  • Be responsible with the knowledge about the security problem. Do not perform any actions beyond those necessary to demonstrate the security problem. Do not abuse the vulnerability and do not keep confidential data obtained through the vulnerability in the system.
  • Leave your contact details (e-mail address or telephone number) if you want, so that we can contact you about the assessment and progress of the vulnerability solution. We also take anonymous reports seriously.
  • Do not use physical attacks, DDOS attacks, or social engineering.

How do we handle Responsible Disclosure?

When you report a suspected vulnerability in an IT system, we will deal with this in the following way:

  • You will receive confirmation of receipt from us within three business days after the report.
  • You will receive a response within seven business days after the confirmation of receipt containing an assessment of the report and the expected date of resolution. We strive to keep you informed on the progress of the resolution.
  • We will treat your report confidentially and will not share your information with third parties without your permission unless this is required by law or by a court order.
  • We will determine together with you whether and how the problem is reported on. The problem will only be reported on after it has been resolved. If you wish, we will mention your name as the discoverer in the report on the problem.