Responsible Disclosure

Effective as of July 1, 2023

Introduction

At XLReporting, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there might still be vulnerabilities.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We appreciate your help to maximise the protection of our clients, their data, and our systems.

Please do the following

• Please use our Contact form to submit a short description of your findings. Do not include any details. When we engage with you, we will agree how to exchange your findings and underlying information in a secure manner.
• Make sure you can provide us with sufficient information to reproduce the problem, so we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
• Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary or by deleting or modifying data.
• Do not reveal the problem publicly or to others until we have had the opportunity to resolve it.
• Do not use attacks based on physical security, social engineering, distributed denial of service, spam, phishing, or applications of third parties.

What we promise

• We will respond to your report within 3 business days with our evaluation of the report and our expected resolution date.
• If you have followed the instructions above, we will not take any legal action against you in regard to the report.
• We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
• We will keep you informed of the progress towards resolving the problem.
• In the public information concerning the problem reported, we will give your name as the discoverer of the problem, unless you desire otherwise.
• As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. The minimum reward will be a €50 gift certificate.
• We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Questions or contact

If you have questions about this policy, or if you want to report a vulnerability, you can reach us by phone during office hours at +31 30 227 2117, or by email at info@xlreporting.com, or using contact us, or write to XLReporting Software BV, Winthontlaan 200, 3526KV Utrecht, Netherlands.