Responsible disclosure

Effective from 04 February 2019 until 19 November 2020
(superseding the previous version dated 18 January 2019)

• Definitions and contact details
• Responsible disclosure policy

---

Definitions and contact details

Unless the context clearly indicates otherwise, throughout this document, terms in the singular form shall include the plural (and vice versa) and any gender form shall include all others. General words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.

The terms “we”, “us” and “our” refer to Solviq Ltd, a limited company registered in England and Wales under company number 08040908 and having our registered office at Lytchett House, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FA, United Kingdom.

Our VAT registration number is GB 135 3924 15.

To contact us, please write to us at our registered address, telephone us on +44 29 2014 0800, fax us on +44 29 2014 0801, or e-mail legal@solviq.com.

The terms “you” and “your” refer to the person discovering and/or reporting a security vulnerability.

The term “our work” includes all client-facing services and deliverables, our public-facing websites and the open source software projects we manage.

Responsible disclosure policy

• 1. Reporting an issue

  • 1.1. If you believe you have found a fault or security vulnerability in any of our work, you should contact us in the first instance.

  • 1.2. If you wish, you may use a pseudonym/handle when contacting us. However, we ask you to supply a working e-mail address so that we can contact you.

  • 1.3. If you are concerned about the security of the communication channel between you and us, it may not be appropriate to include full details of the vulnerability in your initial communication. In this case, you may contact us to agree arrangements for a more secure form of communication.

  • 1.4. Please supply a detailed description of the steps required to reproduce the vulnerability or fault you have discovered. It may be helpful to provide scripts, console output and screenshots.

  • 1.5. You may wish to include the time and IP addresses from which you discovered the issue, so that we may eliminate your research from our investigations.

  • 1.6. Please do not include any sensitive information such as payment details or individuals’ personal data in your communication with us unless you are satisfied that the communication channel is encrypted.

• 2. Our commitment to security researchers

  • 2.1. We commit to not pursue or support any legal action related to your finding of a security vulnerability or fault, provided:

    • 2.1.1. You have followed the above guidelines for reporting an issue;

    • 2.1.2. You enter into dialogue with us to help us to understand the scope of the issue, so that we can resolve it fully and quickly;

    • 2.1.3. You keep the information of your discovery confidential until we confirm that we have resolved it to the extent that your discovery is no longer exploitable;

    • 2.1.4. You have tried to minimize any negative impact on our services during the discovery.

  • 2.2. However, we would take an extremely dim view of an issue report in which you:

    • 2.2.1. Request any form of remuneration or compensation;

    • 2.2.2. Have deliberately attempted an attack that, with forethought, was likely to degrade the experience for other users or otherwise lead to denial of service;

    • 2.2.3. Have deliberately destroyed data within production systems;

    • 2.2.4. Have violated the privacy of any of our users, customers, suppliers or staff;

    • 2.2.5. Have processed a fraudulent financial transaction;

    • 2.2.6. Required physical access to specific premises where you would be trespassing.

• 3. Scope

  • 3.1. Where we employ third-party suppliers in the provision of our services, please note that this policy does not automatically guarantee that these suppliers will take the same stance on issues discovered within their infrastructure.

  • 3.2. Where we have created bespoke intellectual property for a client, please note that this policy does not automatically guarantee that this client will take the same stance on issues discovered within what is technically their intellectual property.