Responsible disclosure

Responsible disclosure

Effective from 19 November 2020
(superseding the previous version dated 04 February 2019)

Introduction

We are committed to the security of our software and digital systems, and we value the help of the wider Internet community in identifying, responsibly reporting and resolving faults and security vulnerabilities (“issues”).

Please follow the guidelines in this document when testing for and reporting issues.

Our contact details

In this document, the terms “we”, “us” and “our” refer to Solviq Ltd, a limited company registered in England and Wales under company number 08040908.

Our registered office is at: Lytchett House, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, BH16 6FA, United Kingdom.

To contact us about a security-related matter, we recommend that you e-mail your findings to infosec@solviq.com using OpenPGP encryption. Our public key fingerprint is 3F78 890F DAAE 691F 2F74 A240 76E2 8499 06B2 1B25.

Guidelines for reporting an issue

If you believe you have found an issue in our work, you should contact us in the first instance, using the details provided in this document.

Please supply a detailed description of the steps required to reproduce the issue you have discovered. It may be helpful to provide scripts, console output and screenshots.

Do not include any sensitive information such as payment details or personal data in your communication with us unless you are satisfied that the communication channel is encrypted.

You may wish to include the date, time and IP addresses from which you discovered the issue, so that we may eliminate your research from our investigations.

Please be willing to enter into dialogue with us to help us to understand the scope of the issue, so that we can resolve it fully and quickly. This means you will need to provide a working e-mail address via which we can contact you, ideally with a public OpenPGP key; you may use a pseudonym/handle in place of your real name.

We ask that you keep your discovery confidential until we confirm that we have resolved it to the extent that the issue is no longer exploitable.

Do not conduct research that is likely to degrade the availability or experience of our services for other users, and do not take advantage of your discovery beyond what is necessary to demonstrate it. For example, do not attempt something that (with forethought) is likely to:

  • Cause denial of service
  • Expose confidential data
  • Cause the destruction of data
  • Process a financial transaction
  • Violate the privacy of any of our users, customers, suppliers or staff
  • Download more data than you need to demonstrate the issue
  • Generate significant volumes of traffic

Unless we have offered a bounty, we would take an extremely dim view of an issue report in which you request any form of remuneration or compensation.

Our commitment to security researchers

We commit to not pursue or support any legal action related to your finding of a fault or security vulnerability or fault, provided you have followed our guidelines for reporting an issue and your research is within the scope of this policy.

For projects where we maintain a list of contributors, we will gladly include your name and a web link or e-mail address to show our appreciation.

Scope

This policy applies to technical faults and vulnerabilities in any of the customer-facing digital services we own or operate, including our public-facing websites, and the open source software projects we manage.

Research that requires social engineering (phishing) or physical access to premises where you would be trespassing is explicitly out of scope.

Where we employ third-party suppliers in the provision of our services, please note that this policy does not automatically guarantee that these suppliers will take the same stance on issues discovered within their infrastructure.

Where we have created bespoke intellectual property for a client, please note that this policy does not automatically guarantee that this client will take the same stance on issues discovered within their intellectual property.