< Back home

Responsible disclosure

Introduction {#introduction}

We are committed to the security of our software and digital systems, and we
value the help of the wider Internet community in identifying, responsibly
reporting and resolving faults and security vulnerabilities ("issues").

Please follow the guidelines in this document when testing for
and reporting issues.

Our contact details {#contact}

In this document, the terms "we", "us" and "our" refer to EverKnock Ltd, a
limited company registered in England and Wales under company number 12633808.

Our registered office is at: International House, 24 Holborn Viaduct, London,
England, EC1A 2BN.

To contact us about a security-related matter, we recommend that you e-mail
your findings to infosec@everknock.com using OpenPGP encryption. Our public
key fingerprint is @TODO.

Guidelines for reporting an issue {#guidelines}

If you believe you have found an issue in our work, you should contact us in the first instance, using the details provided in this
document.

Please supply a detailed description of the steps required to reproduce the
issue you have discovered. It may be helpful to provide scripts, console
output and screenshots.

Do not include any sensitive information such as payment details or personal
data in your communication with us unless you are satisfied that the
communication channel is encrypted.

You may wish to include the date, time and IP addresses from which you
discovered the issue, so that we may eliminate your research from our
investigations.

Please be willing to enter into dialogue with us to help us to understand the
scope of the issue, so that we can resolve it fully and quickly. This means
you will need to provide a working e-mail address via which we can contact you,
ideally with a public OpenPGP key; you may use a pseudonym/handle in place of
your real name.

We ask that you keep your discovery confidential until we confirm that we have
resolved it to the extent that the issue is no longer exploitable.

Do not conduct research that is likely to degrade the availability or
experience of our services for other users, and do not take advantage of your
discovery beyond what is necessary to demonstrate it. For example, do not attempt
something that (with forethought) is likely to:

Unless we have offered a bounty, we would take an extremely dim view of an
issue report in which you request any form of remuneration or compensation.

Our commitment to security researchers {#our-commitment}

We commit to not pursue or support any legal action related to your finding of
a fault or security vulnerability or fault, provided you have followed our
guidelines for reporting an issue and your research is within
the scope of this policy.

For projects where we maintain a list of contributors, we will gladly include
your name and a web link or e-mail address to show our appreciation.

Scope {#scope}

This policy applies to technical faults and vulnerabilities in any of the
customer-facing digital services we own or operate, including our public-facing
websites, and the open source software projects we manage.

Research that requires social engineering (phishing) or physical access to
premises where you would be trespassing is explicitly out of scope.

Where we employ third-party suppliers in the provision of our services, please
note that this policy does not automatically guarantee that these suppliers will
take the same stance on issues discovered within their infrastructure.

Where we have created bespoke intellectual property for a client, please note
that this policy does not automatically guarantee that this client will take
the same stance on issues discovered within their intellectual property.

Cookie Policy