Responsible Disclosure

At Databalance, we take the security of the digital platforms we manage very seriously. After all, effective security is a prerequisite for ensuring that the continuity of services of both ourselves and our clients can be guaranteed.

Unfortunately, vulnerabilities or misconfigurations can occasionally happen and can cause confidential data to be accessed unintentionally. This is very unfortunate because cybercriminals actively try to take advantage of these situations. Despite the fact that we actively look for these vulnerabilities ourselves, it can happen that we miss one.

That is why we would like to hear from you if you find a vulnerability in one of our systems. We can then solve the vulnerability and make the internet a safer place. If you find a vulnerability you may also be eligible for a reward. However, please read the following rules carefully first. Then you know what to expect from us.

What we expect of you:

  • If you investigate a vulnerability in one of our systems, you take into account proportionality of the attack. If you can show that a vulnerability might cause our network to go offline, you don’t actually have to take our networks offline.
  • That proportionality also plays a role in demonstrating the vulnerability itself. You don’t view or change more data than is strictly necessary to demonstrate the vulnerability.
  • You should report a vulnerability in one of our systems as soon as possible by sending an e-mail to security@databalance.eu. Preferably you send the report encrypted with our public PGP key. You provide the report with sufficient information for us to reproduce and investigate the problem.
  • You must not share knowledge of the vulnerability with others until we have resolved it and the reasonable resolution period has elapsed.
  • You delete all confidential data obtained in your research immediately after we resolve the vulnerability.

If you abide by the above rules, we will abide by the rules below:

  • We will respond to your report within five days, including the expected resolution time. Naturally, we will continue to keep you regularly informed of the progress in resolving the problem.
  • We resolve the vulnerability as quickly as possible. Proportionality also plays an important role here: the time required to resolve a vulnerability depends on various factors, including the seriousness and complexity of the vulnerability.
  • If you adhere to the above expectations, we will not take legal action against you regarding your report.
  • As a reward for your help in better protecting our systems, we would like to reward you for reporting a previously unknown vulnerability. The reward will depend on the type of report, the systems affected (e.g. we can’t do much if it concerns an application of one of our customers), the severity of the vulnerability and the quality of the report.
  • If you find a vulnerability in software that we use but that was created by another party, and that vulnerability falls under a bug bounty program, then any bounty is of course yours.

Our PGP key can be found via this link.