Responsible Disclosure Policy

 

 

 

1. Purpose

This policy defines Ockto’s approach to receiving, managing, and responding to reports of security vulnerabilities in our applications. Its goal is to protect customer data and maintain trust by encouraging responsible reporting and ensuring timely remediation of potential security issues.

 

2. Scope

This policy applies only to vulnerabilities identified in Ockto’s applications and related APIs. It does not cover vulnerabilities in Ockto’s public website (ockto.eu) or any third-party systems outside Ockto’s operational control.

 

3. Responsible Disclosure Principles

 

Good-Faith Testing

  • We welcome reports from security researchers who act in good faith and follow the rules outlined in this policy.
  • Testing must not disrupt our services or impact the availability of Ockto applications for other users.
  • Avoid accessing, modifying, or deleting any data that does not belong to you.

 

Reporting Vulnerabilities

  • Send a detailed report to: support@ockto.nl.
  • Include enough information for us to reproduce and validate the issue (e.g., affected application component, steps to reproduce, proof-of-concept).
  • If applicable, include screenshots or code snippets that clearly demonstrate the vulnerability.

 

Prohibited Activities

  • Do not exploit vulnerabilities beyond what is necessary to demonstrate their existence.
  • Do not publicly disclose the vulnerability before Ockto has confirmed a fix or provided explicit approval.
  • Do not attempt social engineering, phishing, or physical attacks on Ockto employees or infrastructure.

 

4. Ockto’s Commitments

  • We will confirm receipt of your report within 7 calendar days.
  • We will investigate the issue and, if validated, prioritise remediation based on its severity and impact.
  • We will keep you informed of the status of your report, especially when a fix is deployed.
  • While Ockto does not offer financial rewards or a formal bug bounty, we will acknowledge your contribution privately and may offer public thanks if both parties agree.

 

5. Legal Safe Harbor

If you follow the principles outlined in this policy, Ockto will not initiate legal action against you for activities conducted in good faith to identify and report a security vulnerability.