Responsible disclosure policy

Version 1.1, 16-11-2020

At Thalia, we take security of our infrastructure and digital systems seriously. We develop, build and deploy all systems with security in mind. However, we can never be 100% secure and vulnerabilities will, unfortunately, present themselves. If you find a (potential) vulnerability or security issue, we would appreciate it if you inform us as soon as possible.

How to notify us

We ask you to

  • give detailed reports of your findings to help us identify the underlying problem.
  • only exploit vulnerabilities to confirm their presence.
  • not share your report with anybody else until the problem has been fixed.
  • involve us if you want to publish your report once it has been fixed.
  • respect the privacy of our members.

We promise you to

  • take your reports seriously.
  • respond to your reports as soon as possible.
  • solve the issue as soon as possible.
  • respect your privacy and treat your reports confidentially.
  • keep you up to date and work with you to solve the underlying problem.
  • credit you in any internal and external announcements (with your permission).
  • not take any legal action if you followed the above guidelines.

What is the scope

  • You may try to exploit: https://thalia.nu/*
  • Any resource that is not listed here is also prohibited.

If you happen to find something on an unlisted resource, please let us know.

Which attacks are disallowed

Because we are a small organisation we ask you to not use the following attack methods:

  • social engineering
  • physical attacks
  • (distributed) denial of service
  • spam attacks
  • automated scanners

Exceptions

The following reports will not be taken into consideration:

  • the policy of SPF / DKIM / DMARC

Thank you for your concern but we are already aware of these issues.