Responsible Disclosure Policy

Last updated: 18 June 2024

Introduction

Dataception Ltd ("Dataception", "we", "us", or "our") is committed to ensuring the security and integrity of our systems and data. We recognize the importance of security researchers and members of the community in helping us identify vulnerabilities and issues that could compromise the confidentiality, integrity, or availability of our systems. This Responsible Disclosure Policy outlines our commitment to working with these individuals to address security vulnerabilities promptly and effectively.

How to Reach Us

Send an email to security@Dataception.com 

When emailing us, please include the following information to enable a quicker response:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • A detailed description of the vulnerability.
  • Steps to reproduce the issue.
  • Any relevant screenshots or documentation that can help us resolve the issue faster.
  • Contact information we can use to reach you.

Please avoid submitting a high volume of low-quality reports.

Guidelines

1. Report Submission: 
If you believe you have discovered a security vulnerability, we encourage you to report it to us as soon as possible by sending an email to security@Dataception.com. Please include a detailed description of the vulnerability, along with any supporting evidence or steps to reproduce the issue.

2. Responsible Disclosure: 
We request that you do not disclose the vulnerability publicly until we have had an opportunity to investigate and address it. We commit to acknowledging receipt of your report within 3 business days and to providing regular updates on our progress toward resolution.

3. Cooperation: 
We appreciate your cooperation in helping us assess and remediate the reported vulnerability. We may reach out to you for additional information or clarification during the investigation process. We ask that you respond promptly to any communication from our security team.

4. Non-Disclosure: 
We respect the privacy and confidentiality of security researchers and will not disclose your identity or the details of the vulnerability without your permission, except as required by law.

5. Responsible Testing: 
We ask that you refrain from conducting any tests or activities that could disrupt or degrade the performance of our systems or compromise the privacy or security of our users or data.

6. Legal Compliance: 
Ensure that your research does not violate any applicable laws or regulations. Unauthorized testing or accessing systems without explicit permission is prohibited.

What You Can Expect From Us

  • Acknowledgment: We will confirm with you that we have received your report as soon as reasonably possible.
  • Transparency: To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including any issues or challenges that may delay resolution.
  • No Compensation: Dataception does not provide payment to reporters for submitting vulnerabilities. By submitting vulnerabilities to Dataception, you waive any claims to compensation.
  • Recognition: Where applicable and with your consent, we will give public recognition for your contributions to improving our security.

What We Expect From You

In upholding responsible disclosure practices, we expect you to:

  • Legal Compliance: Do not break any applicable laws or regulations.
  • Ethical Behaviour: Do not exploit potential vulnerabilities to access restricted information.
  • Data Integrity: Do not modify or remove information.
  • Testing Limitations: Do not use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Service Availability: Do not affect availability by denial of service attacks.
  • Report Quality: Avoid submitting trivial issues, such as non-sensitive misconfigurations (e.g., missing cookie flags).
  • No Social Engineering: Do not conduct social engineering, phishing, or similar attacks targeting Dataception personnel and customers.
  • Responsible Disclosure: Report any found potential vulnerabilities to us first and allow us time to evaluate and mitigate before going public with it.

Disclaimer

This Responsible Disclosure Policy does not grant permission to engage in any activity that violates the law or our Acceptable Use Policy. We reserve the right to take appropriate action, including legal action, against individuals who engage in unauthorized or malicious activities.

Changes to This Policy

Dataception reserves the right to update or modify this Responsible Disclosure Policy at any time without prior notice. Please check this page regularly for any changes.