Responsible Disclosure

We take the security of our systems and users very seriously and are committed to improving it. Despite all precautions, it remains possible that a vulnerability can be found in the systems. To stay one step ahead of malicious parties, we would like anyone who finds a vulnerability in our systems to report it to us.

By making a report, you as the reporter agree to the Responsible Disclosure agreements below and we will handle your report in accordance with the agreements below.

We ask the following of you:

  • Submit the report as soon as possible after the discovery of a potential vulnerability.
  • To report, use the appropriate "Report Responsible Disclosure" form.
  • Please provide enough information to reproduce the problem so we can resolve it as soon as possible.
  • We welcome tips to help us solve the problem. Please limit your advice to verifiable factual information related to the vulnerability you have identified and avoid that your advice actually amounts to advertising specific (security) products.
  • You avoid violation of privacy, degradation of user experience, disruption to production systems and destruction of data during security testing;
  • Do not share the problem with others until it is resolved.

What is not allowed:

Due to the safety of our users, employees, the Internet in general and you as a security researcher, the following actions are not permitted:

  • Testing applications other than this domain, namely "shift2.co.uk";
  • Taking actions beyond what is strictly necessary to demonstrate and report the security problem.
  • Social engineering and or physical testing (e.g. phishing, tailgating);
  • Using techniques that reduce the availability and/or usability of the system or services (vb DoS attacks).
  • Posting malware.
  • Copy, modify or delete data in the system.
  • Disclosing or providing to third parties information about the security problem before it is resolved.

What to expect from us:

  • We will work with you to understand and quickly resolve the vulnerability (including initial confirmation of your report within 72 hours of submission);
  • We will keep you updated on our efforts to resolve the vulnerability;
  • If you meet all of the above conditions, we will not file criminal charges against you or bring a civil case against you.

If you have any questions and/or comments about this Responsible Disclosure, please contact Emiel Duinisveld (Chief Information Security Officer at Shift2)