At Forever Direct security protection is a very important part of our systems. We work hard to maintain and improve the security of our systems; nevertheless vulnerabilities may occur in our systems.
If you have found a vulnerability in one of the systems of Forever Direct, we would like to hear about this from you, so the necessary measures can be taken to rectify the vulnerability. We would like to work together with you to protect our customers and systems even better.
Forever Direct asks you to:
- Inform us about your findings as quickly as possible to firstname.lastname@example.org, preferably encrypted with an PGP-key to prevent the information falling into the wrong hands.
- Provide sufficient information to reproduce the problem so that Forever Direct can provide a quick resolution.
- Not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability.
- Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem.
- Not share the information on the security problem with others until the problem has been solved and erase any data obtained through vulnerabilities as soon as possible.
- Leave your contact details so that Forever Direct can contact you to cooperate on a safe result. Reporting anonymously or under a pseudonym is possible. Please be aware that we will not be able to contact you about our progress or any reward for the report;
- Avoid the following acts, installing malware, copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system), making changes to a system, repeatedly accessing the system or sharing access with others, using so-called “brute force” to access systems, using denial-of-service or social engineering.
Forever Direct promises to:
- Resolve any vulnerability as soon as possible.
- Respond to your report with an assessment within three working days and provide an estimated time to resolution;
- Treat your report confidentially and will not share your personal data unless required by law;
- Keep you informed of our progress in resolving the issue;
- Not take legal action against you regarding the reported vulnerability if you comply with the above requests;
- Mention you as the discoverer, in reporting on the vulnerability, if you desire;
- Offer a reward for any first report of an unknown vulnerability as appreciation for your help. The exact reward will be determined by the severity of the vulnerability and the quality of the report, ranging from an honorable mention to a gift.