Responsible disclosure
We consider the security of our systems a top priority. But, no matter how much effort we put into system security, vulnerabilities could still be present.
If you discover a vulnerability, we would like to know about it so we can take appropriate measures as quickly as possible. We would greatly appreciate your help in protecting our clients and systems.
Please follow the steps below:
- E-mail your findings to responsibledisclosure@weareblox.com.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
- Provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation for instance screenshots about the steps that are needed to reproduce the vulnerability or which software is being used to find the vulnerability.
What we promise:
- We will respond to your report within 30 business days with our evaluation of the report and an expected resolution date.
- If you followed the instructions above, we will not take any legal action against you in regards to the report.
- We will handle your report with strict confidentiality, and we will not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
- As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us and has high enough impact to us or our customers. The amount of the reward will be determined based on the severity of the problem and the quality of the report. The minimum reward will be €50 in bitcoin.
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication of the problem after it is resolved.
Trivial security issues:
Security issues with the following properties will not be identified as vulnerabilities that need to be reported. If a combination of such issues creates a security vulnerability we would like to hear it. The issue will be examined and given the appropriate reward.
- General error messages regarding application or server errors
- HTTP 404 and other non-HTTP 200 error messages
- The accessibility of public files and directories (as robots.txt)
- CSRF issues on parts of the site that are available to anonymous users
- CSRF issues that have no (serious) undesirable consequences for users
- Trace HTTP functions that can be active
- SSL attacks like BEAST, BREACH, Renegotiation
- SSL Forward secrecy not used
- Anti-MIME Sniffing header X-Content-Type functions
- The lack of HTTP security headers
- The presence of HTTPS Mixed Content Scripts / error messages