Responsible Disclosure

At the Picqer, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please do the following:

What we promise:

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Not everything is a 'vulnerability'

Keep in mind that not everything you think is a security problem, is a real security risk for our application. Things like not using CSRF tokens in some places, or not using a certain HTTP header that some people may view as a 'best practice'. We try to make the best decisions in all cases, but we will reach sometimes a different conclusion then you.

Please respect our risk analysis and reasons for doing some things different then you may see as a best practise. As we are respecting all your findings and reports.

Thank you for your co-operation.

Thank you's

We want to say thanks to the following people, who helped us fix problems and disclosed security vulnerabilities responsibly:

This document is based on the example at responsibledisclosure.nl