Responsible disclosure
Report vulnerabilities
At Mediq, we are committed to ensuring the safety and security of our systems. Despite all our care and attention to secure our systems, it is possible that a vulnerability is overlooked. Do you think you have discovered a vulnerability in our systems? Please let us know by following the guidelines below.-
Reporting procedure
- E-mail your findings to security@mediq.com. If possible, encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.
- Provide sufficient information to reproduce the detected vulnerability, so we can resolve it as quickly as possible. Usually the IP address or the URL of the affected system and a description of the vulnerability will be sufficient. Complex vulnerabilities may require further explanation.
- Do not take advantage of the vulnerability you have discovered. For example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
- Do not reveal the vulnerability to others and delete all confidential data obtained.
- Provide your contact details so that we can contact you to work together on fixing the issue. Provide at least your email address or phone number.
-
Please do not do the following
In any case, do not:
- Place malware on our systems.
- Copy, change or delete data in a system (an alternative is to make a directory listing of a system).
- Make changes to the system.
- Access the system repeatedly or share access with others.
- Use so called ‘brute force attacks’ to access systems.
- Use denial-of-service or social engineering.
-
This is what we will do with your report
- We will respond to your report within 3 working days with our evaluation of the report and an expected resolution date.
- If you have followed the instructions above, we will not take any legal action against you regarding how you gained access, the breach or the reporting of the vulnerability.
- We will handle your report in the strictest confidence. We will not pass on your personal details to third parties without your permission, unless this is required to comply with the law. If you wish, you may report vulnerabilities anonymous.
- We will update you on the progress towards resolving the vulnerability.
- We will provide full credit to researchers who make a vulnerability report or perform testing, in publicly released patch or security fix release information, if requested.
-
What this responsible disclosure policy is not for
The policy for responsible disclosure is not an invitation to actively scan our IT systems for vulnerabilities. Mediq scans and monitors its IT systems itself. Our responsible disclosure policy is also not intended for:
- comments on the services that Mediq provides;
- comments or questions about the accessibility of our services;
- reporting fraud or potential fraud;
- reporting potential false or so-called phishing e-mails;
- reporting viruses and / or malware;
- reporting of complaints.