Responsible Disclosure

At Solvinity the security of our systems is of utmost importance. Despite our attention to security, it may happen that there is a weak spot in one of our systems or in one of our customers’ systems. 

Our policy for responsible disclosure is not an invitation to actively and extensively scan our company network to uncover vulnerabilities. We monitor our company network ourselves. 

If you still find a flaw in our systems, we would like to receive a Coordinated Vulnerability Disclosure (CVD), so we can take measures as soon as possible. We would like to cooperate with you in order to better protect our customers and our systems. 

Which vulnerabilities can be reported via a CVD? 

Vulnerabilities that pose a risk to system security can be reported to us. Examples include vulnerabilities that enable login forms to be bypassed or provide unauthorized access to databases containing personal information. 

Not every defect in a system constitutes a vulnerability. In general, the following defects do not result in a potential security breach and we therefore kindly request that you do not report such vulnerabilities to us: 

  • Defects that do not affect the availability, integrity or confidentiality of data.
  • The availability of the WordPress xmlrpc.php functionality when its abuse is limited to what is known as a ‚pingback denial-of-service‘ attack.
  • The opportunity to use cross-site scripting on a static website or a website that does not process any sensitive (user) data.
  • The availability of version information, for example via an info.php file. One possible exception in this scenario is when the version information reveals that the system uses software that contains known vulnerabilities.
  • The lack of HTTP security headers as used by mechanisms such as Cross-Origin Resource Sharing (CORS), unless this lack of a security header demonstrably results in a security problem.

If you have any doubts about whether the defect you have found constitutes one of the above exceptions, then you can of course still report the defect to us. We will subsequently determine whether the defect constitutes a vulnerability and take appropriate follow-up action.

What we ask of you 
  • E-mail your findings to security@solvinity.com. Encrypt your findings with our PGP-key (fingerprint 4F90 3393 06A6 674E 9486 5509 7E0B 4A53 0F4D 88ED) to prevent the information falling into the wrong hands.
  • To not abuse the problem, for instance by downloading more data than necessary to show the leak or to look into, remove or change data of third parties, or introduce malware.
  • To not share the problem with others until it is solved, and to delete all confidential data that was obtained through the leak as soon as it has been closed.
  • To not make use of attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
  • To give sufficient information to reproduce the problem so we can solve it as soon as possible. Usually the IP-address or the URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require additional information.
What we promise you
  • We will respond to your message within 3 business days with our assessment of the issue and an expected date for the solution.
  • If you have complied with the above-mentioned conditions, then there will be no grounds for legal consequences in relation to your report.
  • We will treat your notification confidentially and your personal information will not be shared with third parties without your permission, unless this is necessary to fulfill a legal obligation. Reporting under a pseudonym is possible.
  • We will keep you updated on the progress of the solution of the issue.
  • In the communication about the reported issue, we will, if you wish, mention your name as the discoverer.

We strive to resolve any problems as quickly as possible, and we would like to be involved in any publication about the problem after it is resolved.