At Snel.com, the security of our web applications is paramount. Despite our efforts, vulnerabilities may occur. If you find a vulnerability in our systems, we invite you to report it to us so that we can take swift action.
We appreciate your assistance in protecting our clients and systems.
We request that you
- Avoid exploiting the vulnerability, e.g., by downloading, altering, or deleting data
- Keep the problem confidential until resolved
- Refrain from using attacks on physical security, social engineering, or hacking tools like vulnerability scanners
- Provide sufficient information to reproduce the issue for prompt resolution
- We will respond within 5 working days with an assessment and an expected resolution date
- Legal action will not be pursued against you if you comply with these guidelines
- Your report will be treated confidentially, and your personal details will not be shared without your consent
- We will keep you informed of the progress in resolving the issue
- If desired, we will credit you as the discoverer in any reports about the problem
- We offer a reward for reporting unknown security issues, based on the severity of the leak and the quality of the report, with a minimum of a € 75.00 voucher. Trivial vulnerabilities or non-exploitable bugs are excluded (see 'Exclusions' for details).
Our aim is to resolve all issues promptly, keep all parties informed, and be involved in any publication about the problem after its resolution.
Snel.com provides no reward is given for trivial vulnerabilities or bugs that cannot be exploited. Below are examples (not exhaustive) of known vulnerabilities and accepted risks that fall outside the above arrangement:
- HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injecting on these pages.
- HTTP security headers related reports such as:
- Issues with SSL configuration such as:
- SSL Forward secrecy disabled
- Weak/insecure cipher suites
- Fingerprinting/version disclosure on public services
- Missing best practices or output from automated scanning tools without proof of exploitability
- Output from automated scans of tools. Example: Web, SSL/TLS scans, Nmap scan results, etc.
- Public files or directories with non-sensitive information (e.g., robots.txt)
- Clickjacking and issues only exploitable via clickjacking
- No secure/HTTP-only flags on non-sensitive cookies
- OPTIONS HTTP method enabled
- Issues with STARTTLS, DNSSEC, DANE, SPF, DKIM, or DMARC
- Host header injection
- Information exposure in metadata
Source Acknowledgement: Our policy is based on the example policy by Floor Terra (responsibledisclosure.nl) and is under a Creative Commons Attribution 3.0 license.