Responsible Disclosure Policy
We care a lot about the security of our systems at Qwoater B.V. However, there might still be a vulnerability. If you discover a vulnerability in any of our systems, please tell us so that we can act quickly. We want to cooperate with you to improve the protection of our customers and our systems.
We only ask you to report findings related to our own Qwoater applications (QwoaterDIRECT and QwoaterREPORTS).
URL’s in scope:
- direct.qwoater.nl
- rapporten.qwoater.nl
- reports.qwoater.com
The Qwoater websites (qwoater.nl and www.qwoater.nl and onboarding.qwoater.nl) and related WordPress-related findings, and findings with regard to systems linked to Qwoater fall outside the scope of this responsible disclosure policy.
We ask you:
- E-mail your findings to support@qwoater.nl
- Not to exploit the problem by, for example, downloading more data than is necessary to demonstrate the leak or viewing, deleting or modifying data from third parties,
- Do not share the problem with others until it is resolved and delete all confidential data obtained through the leak immediately after the leak has been patched,
- Not to use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications, and
- Provide enough information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
What we promise:
- We will respond to your report within 3 days with our assessment of the report and an expected resolution date,
- If you have complied with the above conditions, we will not take any legal action against you regarding the report,
- We treat your report confidentially and will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible,
- We will keep you updated on the progress of resolving the issue,
- In communications about the reported problem, we will, if you wish, mention your name as the discoverer, and
- As a thank you for your help, we offer a reward for every report of a security issue unknown to us. We determine the size and type of the reward based on the severity of the breach and the quality of the report.
We strive to solve all problems as quickly as possible and we would like to be involved in any publication about the problem after it has been resolved.
