Responsible disclosure

Introduction

We are committed to the security of our software and digital systems, and we value the help of the wider Internet community in identifying, responsibly reporting and resolving faults and security vulnerabilities (“issues”).

Please follow the guidelines in this document when testing for and reporting issues.

Our contact details

In this document, the terms “we”, “us” and “our” refer to EverKnock Ltd, a limited company registered in England and Wales under company number 12633808.

Our registered office is at: International House, 24 Holborn Viaduct, London, England, EC1A 2BN.

To contact us about a security-related matter, we recommend that you e-mail your findings to infosec@everknock.com using OpenPGP encryption. Our public key fingerprint is @TODO.

Guidelines for reporting an issue

If you believe you have found an issue in our work, you should contact us in the first instance, using the details provided in this document.

Please supply a detailed description of the steps required to reproduce the issue you have discovered. It may be helpful to provide scripts, console output and screenshots.

Do not include any sensitive information such as payment details or personal data in your communication with us unless you are satisfied that the communication channel is encrypted.

You may wish to include the date, time and IP addresses from which you discovered the issue, so that we may eliminate your research from our investigations.

Please be willing to enter into dialogue with us to help us to understand the scope of the issue, so that we can resolve it fully and quickly. This means you will need to provide a working e-mail address via which we can contact you, ideally with a public OpenPGP key; you may use a pseudonym/handle in place of your real name.

We ask that you keep your discovery confidential until we confirm that we have resolved it to the extent that the issue is no longer exploitable.

Do not conduct research that is likely to degrade the availability or experience of our services for other users, and do not take advantage of your discovery beyond what is necessary to demonstrate it. For example, do not attempt something that (with forethought) is likely to:

  • Cause denial of service
  • Expose confidential data
  • Cause the destruction of data
  • Process a financial transaction
  • Violate the privacy of any of our users, customers, suppliers or staff
  • Download more data than you need to demonstrate the issue
  • Generate significant volumes of traffic

Unless we have offered a bounty, we would take an extremely dim view of an issue report in which you request any form of remuneration or compensation.

Our commitment to security researchers

We commit to not pursue or support any legal action related to your finding of a fault or security vulnerability or fault, provided you have followed our guidelines for reporting an issue and your research is within the scope of this policy.

For projects where we maintain a list of contributors, we will gladly include your name and a web link or e-mail address to show our appreciation.

Scope

This policy applies to technical faults and vulnerabilities in any of the customer-facing digital services we own or operate, including our public-facing websites, and the open source software projects we manage.

Research that requires social engineering (phishing) or physical access to premises where you would be trespassing is explicitly out of scope.

Where we employ third-party suppliers in the provision of our services, please note that this policy does not automatically guarantee that these suppliers will take the same stance on issues discovered within their infrastructure.