Coordinated Vulnerability Disclosure (CVD) Policy

Introduction

Duthler Associates considers the security of its systems important. Despite our concern for the security of our systems, it is possible that there is a weak spot.

A weak spot can be discovered accidentally. It may also have been deliberately sought. Our coordinated vulnerability disclosure policy is not intended as an invitation to extensively scan our systems for vulnerabilities. We continuously monitor our systems for vulnerabilities and a report could lead to unnecessary work and costs. For that reason, we do not call for active hacking attempts. However, as soon as you find vulnerabilities or weaknesses, we would appreciate it if you inform us as soon as possible.

We would like to hear

Your signal gives us the opportunity to immediately take appropriate, additional and sufficient control and security measures, so that we can protect the data of our clients and our employees and guarantee the confidentiality, reliability and availability of the data.

We would like to work with you on this and build a lasting relationship with you.

We use the MYOBI Trust Network, a trusted third party.

We ask you

  • Send us your broad outlines of your findings via the MYOBI website. Use this link;
  • Have you registered with MYOBI. You then start the CVD scenario and inform us securely about the vulnerability, if desired, your analysis of the possible impact on our business operations and your advice on how to remove the vulnerability;
  • Not to abuse the problem by, for example, downloading more data than is necessary to demonstrate the vulnerability or to view, delete or modify data from third parties;
  • Not sharing the vulnerability with others until it is fixed and erasing all confidential data obtained through the vulnerability immediately after fixing it;
  • Not to use attacks on physical security, social engineering, distributed denial of service, spam or third party applications; and
  • Provide sufficient information to reproduce the vulnerability so that we can fix it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice, but more complex vulnerabilities may require more.

What we promise

  • We will acknowledge your report within one day and respond to your report within two days with our review of the report and an expected resolution date;
  • If you have complied with the above conditions, we will in principle not file a report against you with the police and will not take legal action against you in any other way;
  • We treat your report confidentially and will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
  • We will keep you informed of the progress of solving the problem;
  • In reporting the reported problem, we will list your name as the discoverer if you wish;
  • As a thank you for your help, we offer a reward for each relevant report of a security problem unknown to us. We determine the size of the reward based on the seriousness of the leak and the quality of the report; and
  • We are happy to make additional agreements about the above points.

Finally

We aim to fix all vulnerabilities in the implemented control and security measures as quickly as possible and we would like to be involved in any publication about the problem after it has been solved.