Docbyte Responsible Disclosure Procedure

Introduction

Docbyte considers the security of its systems a top priority. Our goal is to protect people’s privacy and information confidentiality. This means fixing vulnerabilities as soon as possible and encouraging people to tell us about any vulnerabilities they discover.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. Please help us better protect our systems and therefore our customers.

How to tell us

If you discover a vulnerability, please do the following:

E-mail your findings to cert@docbyte.com.

In the header of the mail, please provide the keywords “Responsible Disclosure” followed by the URL where you found the vulnerability.

In the body of the mail, please provide the following information:

• The URL where you found the vulnerability
• Type of vulnerability
• Whether the vulnerability has been published or shared with others
• Step-by-step instructions / proof of concept codes to replicate the issue. Please provide sufficient information to reproduce the problem, so we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
• Was personal information exposed?
• What has happened with any personal information exposed?
• Your contact details for further information exchange (as far as you can/want to share them)

What we will do

We acknowledge receipt as soon as possible and within 7 working days we will provide you with an update on the progress of our investigation.

We will look at the reported vulnerability and work on it with our engineering team. We will notify you of what the investigation found and what we decided to do.

We aim to address all vulnerabilities as quickly as possible, but we might be reliant upon contracted external software suppliers.

If appropriate, we will handle this notification as a privacy breach and tell people whose personal information may have been disclosed as prescribed by the Docbyte GDPR Data Breach Management Procedure.

We will work with you if you want to publicly disclose finding the vulnerability.

What you should not do

Some types of behavior are not reasonable research approaches. Please do not try actions that can cause harm

• Do not take advantage of the vulnerability or problem you have discovered
• Do not reveal the problem to others until it has been resolved
• Do not execute attacks of any type
• Do not access, destroy or corrupt data that does not belong to you
• Do not share any information you obtained

Our Commitment

If you act in good faith and follow this policy, we make these commitments to you:

• We will not take any legal action against you with regard to your report
• We will handle your report with strict confidentiality, and not pass
• on your personal details to third parties without your permission
• The information you share with us as part of this process will be kept confidential
• We will keep you informed of the progress towards resolving the problem
• In the public information concerning the problem reported, we will acknowledge your contribution (unless you desire otherwise)

We strive to resolve all problems as quickly as possible.

Contact Details

If you have any queries, or you would like to contact us directly:

• email: cert@docbyte.com
• website: www.docbyte.com/about-us