Responsible disclosure

Oh noes, you found a security issue! Don't panic, take a deep breath, count to ten, and send us your findings!

We like to build good stuff, be it apps, websites, games or other software. But, it's still possible we screwed up somewhere. If you find a flaw in our software, we'd love to hear about it! It'd be great if you gave us the chance to fix it before going public with it. ;) That way we can prevent misuse by people that are way less cool than you.

Our humble request to you:

  • Send your findings to disclosure@q42.nl. Encrypt your findings with our PGP key (link) to prevent the information from falling into the wrong hands.
  • Do not misuse the flaw by, for example, downloading more data than is needed to prove the flaw exists, by maliciously editing data, or removing data.
  • To not share the issue with others until it is resolved, and to remove all confidential data after the the issue is solved.
  • To not use attacks on physical security, social engineering, distributed denial of service attacks or spam.
  • To provide us with enough information to reproduce the issue so we can resolve it as fast as possible. Most of the time an IP address or URL and a short description of the vulnerability is sufficient, but with more complex issues more data might be required.

We promise:

  • To respond to your report within three office days.
  • To not take legal action against you, as long as you do not act in conflict with the requests above.
  • Treat your report and personal information confidentially. We will not provide your personal information to third parties, except when required by law. (Reporting under an alias is allowed.)
  • We will keep you posted on our progress of solving the issue.
  • In publications about the reported issue, we will (if you want us to) credit you as the discoverer of the issue.
  • As a thank you we can offer you a reward for reporting an issue that was unknown to us. The kind of reward will be decided upon by us and is based on the severity of the issue and the quality of your report. Maybe you'd just like to come and visit us at our office for a friendly chat and try our slide. :D

We'll fix the issue ASAP, and would love to be in the loop when you make your findings public, after the issue has been solved.

Based on: https://responsibledisclosure.nl/en/

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF2livEBEADps7IMzyw0jXl3/g/y3qK8zRlg062NwxDX/UcIQ9u5Jyf3CYJW
OSqOHXgYGJPJhzLho+qveBdALbakEdw+wpTEotP8yy/808RifZ96ANJlBFgCP/ok
FhWc2JZcX8PzR8D+LqIRnilfk4YiIadu9RiZQV7Uhx3Jw/Qwc5vEmfZaeNvrRzVn
P6HcDVe29c8fQMJTSBAvPZ/aLPryGNw3S77AxF0Hp9xFCuWVXwAAdHwomNFILA/D
XN3c8LCX+PnkvzcSXR8XPxruUAUh0ZeEjpGD/daOiDBOyd7qnNZowrJs7FfPIQ0c
DqySJIA9Qn2b2/WT6DrgAh2P/wReUTp7oIGlCjWfrEtK+L37sAaEiq3S1BbWJBpx
HcsDYMMNHklEicP4gyBiKCR6MTRoOdZlPg8Tuqi9jViBe+VHReF48Q/7vf+/Nwp7
CElX78JP6K8nV4EHf6B7RCqAy7uNSJmAgydq+L8X5EVym7CgUAsfbFznIHhfdZmt
I9VUAfqZr1l68/NDbO0aXfS7j/iGI1GHyeESePpLRZ8VOUxOLNhnTRQzGhWJH4zu
dy/2IGVGMNKNOFoUIggWhlsKOrYyDhTdQUgfeLLy2pcj4xZM5Hf1w64qjHq5ouyQ
jfkWc37vbgxpKDuulHwbONNfyUFfkaAO0QDeYIDw308eWAS9HzkA3PKN+QARAQAB
tCpSZXNwb25zaWJsZSBEaXNjbG9zdXJlIDxkaXNjbG9zdXJlQHE0Mi5ubD6JAlQE
EwEIAD4WIQTpWC42J8PwsmU1n4E+bIqq3zVufAUCXaWK8QIbAwUJEs/3gAULCQgH
AgYVCgkICwIEFgIDAQIeAQIXgAAKCRA+bIqq3zVufGM/EACYblolkroQDuksPrDR
LZQe8lQe2iWkIuilGz2QDhBmzHQh4189gh/V0wJzMJxcZhkT2hc/RbHruvqIWSsh
XtasRle6V5VMgc0OW2fYEsqjVrfVLunyiYHFMBLD22RoSVVgJaxRAvTzuxJ8/OiH
hNzb4AWdC6g0Fgj3ABiX4IhZQpKkaOb1kxX64wS28Dwg/jSTgDe3BKYx/QykEDCH
58BRznp7yK/sdCxCX8lHPwRwVa3SQoEgxZkGX5IWYvdYqGuNE6uku1y5fvJ0YHV3
7vXKdHXriEFZOnvybhMOa7jV4Ugvfv9I38XaCDc203cXZBBExqZJX19lvGVWgSpP
CYjbdd7xhMqwWzN0vRH9/2igf1NMaEziZ/L/kZrwR/zmMcPRdxA7DKLeDL7s2jGb
lVXpkoNOOfg6sZc6+vDQPuevGcvtXv8W63hrZT6KOx5bZBfEyEg2XW5tdcuTpsER
yD8xV/xQ8kd4zSVWfzfLWs0yKtX1Hr6Q3shbjw6st/spDCPFtnG6G4+j5rS2mcoS
bCl8DG5I5awt1hYkO4zzZHXUk8hGu4yeMGgzRpLaDu0P73rjR4Fg8zdKz4ZuPMlo
oIsV6ydGNivlTiUwgf706zJiYjMNwMmfeLxdQgq2UZ3DOvMv8a4CDzZcP1VSrT0M
yqLSWZmsDwnWgxAZReb8DuTOArkCDQRdpYrxARAAqgcva2fEMqgRItEzHJSmEA7j
89raeU87PgZTz3jVaS6+TQxMTNCEjm7e2vroDv/0wXfWbzWdFwFnD6Vzw5qSe7QR
g+fiNmu7Riodt7t+vb0gS9KBeIBOZKH1LPsY2KvzqR5qVvKRflxJ/QR5BEC9wtGv
sA5Ii+iu3oSKXho8G48h3aNioIlkP+GBXW3cREacXVuUeVlzpBNrFpFT2mk5WNTJ
7tDIRCXnbEwaiWBMgwjZbaEL+1jSqEq3OecKBNMvWl2GxzuFnBj+k8tBVQyMmzb9
gBzabpeF8BcycyoV9DcUXp8zSYYkbTB/fb0YSVbUzkK4rWZvL0g/0I1QrF/cFQ+H
D3oHSaiBZr9QxZzkV9CBkQOr53mC6KOEHohzRmwh+QhU8vPORayRHigE257vqt//
qiLOeoZ9QWd5BnAXiYMUx5SUhxUWhz9e7A2VusKdjgGJt3+Wv/+CtdndkeBCIE+W
7JW7W6OK7rkwkr5LojOxZGjur/47yeoSqdQx41g/GkrND9Pg6gmcrQ/aOjgSRD6K
NbxzAlmI+b6Yhlqo1NE7h2G7YEcWCve1CgZeoSxe8/MPbjEqJH1d1tEhy/Tndyry
Xs4PfrW753F9MkZA33dfhnEiElNwgk6EXAE6ZEVajYGwMscbx/Ev5VawoKexAbyg
YL7RZtPtWQpL8CX2MukAEQEAAYkCPAQYAQgAJhYhBOlYLjYnw/CyZTWfgT5siqrf
NW58BQJdpYrxAhsMBQkSz/eAAAoJED5siqrfNW58grMQAL1Jo6CiVqgdjboy9ke7
XuPATOi+19CA4ux6DK9ongk1Y55Wjcqaq2Dty6yLLq2YRLbtN0joUSNkYrdsciDf
vZKB9/I8I2a6MDTxvsFgnt5JH4xQTCzcJgn4WZbGferNIC2oc8FqfyGmOn8fGKAJ
a5ut62M3qZSlqihW8fXZGMvWe2rHUbt5bQB6XZ1pfIGwT/8VoMkZQP6x9EBf9eME
izhqm44801t3GkK1KaJlYxPQEo2sHZ5eLy+0ms6W17c3jmp/IFbH4EM86w7eUDwE
WfErytYxRmqeKQx+8aVijbtZhL1YrEvcrh/vxHyJRcrpEI2Fc+0pzcOSLNps8bcb
mZFgxfskIeOsFZguChSbu88YE/urkKJBZ843l13A8FUJQffr6rfMoXNXYo3MXtYq
cHZuvtE6BJNkL/rGn0gwYLbhtXhdQFKEtXw+8vJ8m/fZsxCip8TnNF8lKwOS0bl9
w2/BumBeIaOht1ZSAWYsa6n+mr2OeTIiyMpfJtBjN+azAOK0xuds5fFNBnIB5wu2
fKJw7aPHN3OPsg6hZnlsXRmqy3XdGeXto7LGKe5NYWNDEzDedRr4s7t7joPS3K7N
3DDSDHUivzNIPpJK/v4EpPWk6RdbLSyig7A2y3y3MLzuYtAidzK+gwxIDl2hSVbB
6CsUtTnjFxao65I51TdnnU6n
=ar5q
-----END PGP PUBLIC KEY BLOCK-----