ComplyLog

Responsible disclosure policy

Have you found a security flaw? Please let us know!

InsiderLog takes security very seriously and we take many different steps to ensure the integrity of both our own and our customers’ information. But we are not perfect and as technology evolves there might come up new weaknesses in previously secure technologies. If you have found a security flaw, we ask that you let us know about it so that we can fix the problem and limit the exposure as quickly as possible.

Act responsibly

Finding and documenting a security flaw could constitute an unlawful data breach. But if you follow the rules below, we will not take any form of legal action against you. Quite the opposite, your help will be much appreciated.

  • Do not access more data than is necessary to demonstrate the vulnerability
  • Do not permanently modify or delete any data
  • Do not DDoS or otherwise disrupt, interrupt or degrade our services
  • Do not put a backdoor in the system, not even for the purpose of showing us the vulnerability
  • Do not target our end-users or interrupt their use of our services in any way
  • Most importantly, do not share any information about the vulnerability before receiving confirmation from us that it has been fixed
  • We do not accept any claims for compensation as a condition for reporting a vulnerability.

How to report?

Send an email to us at infosec@insiderlog.com. To keep the report itself secure, it would be great if you could use our public PGP key to encrypt the email.

For the report to be useful to use, please make sure to include the informaiton below.

Detailed description of the vulnerability which will allow us to reproduce it. Please include screenshots, url:s but keep in mind to not access or expose more data than necessary.

If you want to, please include your contact information and your public PGP key (if you have one) so that we can get in touch with you to ask questions and to keep you posted on our work to fix the issue.

What can be reported?

Reports should be about security related flaws and vulnerabilities, not about technical errors such as images being displayed incorrectly, spelling errors etc.

What will happen after the report?

We will confirm that we have received your report, keep you updated while we process the issue and inform you when it has been fixed.