Responsible Disclosure Policy
Responsible Disclosure Policy
1. Purpose
We take the security of our systems seriously. Despite our efforts, vulnerabilities may still occur. This policy describes how external researchers can report them safely and responsibly.
2. What we expect
We ask researchers to:
- Report vulnerabilities as soon as possible
- Not exploit the vulnerability
- Not modify, delete, or download data (limit to minimal proof)
- Not retain access to systems after a vulnerability has been demonstrated
- Not disclose findings before the issue has been resolved
- Use only methods that do not cause disruption
3. What we offer
If you adhere to this policy:
- We will not take legal action against you
- We will treat your report confidentially
- We will keep you informed of progress
- We will credit you (optionally) as the discoverer after resolution
4. Scope
This policy applies to:
- All public systems and applications of Kubus / BIMcollab
- Websites, APIs, and SaaS platforms under our domains
Not permitted:
- Social engineering (phishing, pretexting)
- DDoS or brute force attacks
- Physical attacks
- Use of automated scanners that cause disruption
5. How to report
Send a report to: security@bimcollab.com
Include at least:
- Description of the vulnerability
- Steps to reproduce the issue
- Impact assessment
- Any screenshots or proof-of-concept
- Contact details
6. Handling of reports
- You will receive an acknowledgment of receipt within 2 business days
- You will receive an initial substantive response within 5 business days
- We aim to resolve the issue within 90 days, depending on complexity
- Publication may occur after resolution, subject to consultation
7. Rewards
We offer financial rewards through our Bug Bounty program.
8. Privacy and data
- Treat any data obtained confidentially
- Do not share personal data
- Delete all data immediately after reporting
9. Changes
We may amend this policy. The most current version is always available on our website.