At Tidsbanken AS, we take the security of our systems and data seriously. We welcome and appreciate security researchers and individuals who discover vulnerabilities in our systems or applications and disclose them to us in a responsible manner. This Responsible Disclosure Policy outlines the guidelines and procedures for reporting security vulnerabilities to us.
This Responsible Disclosure Policy applies to all systems, applications, websites, and services owned or operated by Tidsbanken AS.
We prefer that all reports and communications regarding security vulnerabilities be submitted in English or Norwegian to facilitate clear and effective communication between security researchers and our security team.
Responsible Disclosure: We request that you refrain from publicly disclosing the vulnerability until we have had an opportunity to investigate and address it. We strive to resolve security issues promptly and will keep you informed of our progress throughout the process.
If you discover a potential security vulnerability, please follow either of these steps to report it to us:
-
Gather Information: Collect as much information as possible about the vulnerability, including a description of the issue, the affected system or application, and any steps to reproduce the vulnerability.
-
Submit a Report: Submit a detailed report of the vulnerability to our security team via GitHub by clicking the "Report a vulnerability" button on the repository's Security tab or by clicking here.
-
Follow the Instructions: Follow the instructions provided by GitHub to submit your report. Please include a detailed description of the vulnerability, the affected system or application, and any steps to reproduce the vulnerability.
-
Gather Information: Collect as much information as possible about the vulnerability, including a description of the issue, the affected system or application, and any steps to reproduce the vulnerability.
-
Contact Us: Submit a detailed report of the vulnerability to our security team via email at teknisk@tidsbanken.no. Please include "Security Vulnerability Disclosure" in the subject line. You may choose to remain anonymous, but please provide a valid contact email address so we can communicate with you regarding the vulnerability and its resolution.
-
Provide Contact Information: Include your contact information in the report, including a way to contact you, and any other relevant contact details. This will allow us to communicate with you regarding the vulnerability and its resolution.
When reporting a security vulnerability, please adhere to the following guidelines:
-
Do Not Violate Privacy: Do not access, modify, or delete data that does not belong to you. Only interact with systems or applications in ways that are necessary to identify and demonstrate the vulnerability.
-
Do Not Disrupt Services: Do not engage in activities that may disrupt or degrade the performance of our systems or applications. Do not attempt to execute denial-of-service attacks, spam, or other malicious activities.
-
Do Not Share Information: Do not share information about the vulnerability with others until it has been resolved. Keep the details of the vulnerability confidential until we have had an opportunity to investigate and address it.
-
Do Not Exploit the Vulnerability: Do not exploit the vulnerability for any purpose other than to demonstrate the security issue to us. Do not use the vulnerability to gain unauthorized access to systems or data.
Tidsbanken AS will not pursue legal action against security researchers or individuals who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy, provided they do not engage in malicious activities or violate applicable laws.
We do not offer monetary rewards for reporting security vulnerabilities, but we will acknowledge and thank you for your efforts in helping us improve the security of our systems and applications.
If you have any questions about this Responsible Disclosure Policy, please contact our security team at teknisk@tidsbanken.no.
Thank you for your cooperation and assistance in keeping our systems and data secure and protected.