Responsible Disclosure
At Print.one, we prioritize the security of our systems. Therefore, we would like to show you how you can help us in this regard.
If you have found a vulnerability in any of our systems, we would appreciate hearing from you so that we can take measures as quickly as possible. We are eager to collaborate with you to better protect our customers and our systems.
We ask you:
To email your findings to security@print.one.
Not to misuse the issue, such as by downloading more data than necessary to demonstrate the leak or viewing, deleting, or modifying data from third parties.
Not to share the issue with others until it is resolved and to immediately delete all confidential data obtained through the leak after it is fixed.
Not to use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.
To provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Typically, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more may be needed for complex vulnerabilities.
Out of scope:
Software versions with known vulnerabilities unless it can be proven that they are exploitable.
Missing or suboptimal security-related headers (including cookie flags) or technologies.
Session fixation and missing session revocation.
Suboptimal TLS/SSL configuration.
Suboptimal speed limits.
Insecure file uploads unless proven exploitable.
Weak password policies.
Insecure HTTP methods such as OPTIONS.
Account creation/modification or newsletter subscriptions that do not validate the email address.
Pre-authentication for social login.
Denial of Service attacks.
Potentially sensitive paths in robots.txt.
Open redirects.
Dangling IPs.
Concerns about best practices.
Path disclosure.
Problems with banner handling.
UUID enumeration of any kind.
Open ports without accompanying proof-of-concept demonstrating vulnerability.
Vulnerabilities as reported by automated tools without additional analysis of how they pose a problem.
Invalid or missing SPF (Sender Policy Framework) records.
Content spoofing / text injection.
Forms without CSRF tokens.
Attacks requiring physical access to a user's device.
Social engineering of Print.one employees or contractors.
Domains out of scope:
Other domains hosting third-party software.
What we promise:
We will respond to your report within 3 days with our assessment of the report and an expected date for a solution.
If you have complied with the above conditions, we will not take legal action against you regarding the report.
We treat your report confidentially and will not share your personal data with third parties without your consent, unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
We will keep you informed of the progress of resolving the issue.
In communications about the reported issue, we will, if you wish, mention your name as the discoverer.
As a token of appreciation for your help, we offer a reward for each report of a security problem unknown to us. The size of the reward is determined based on the severity of the leak and the quality of the report, with a minimum amount of €25,-.
We strive to resolve all issues as quickly as possible and we would like to be involved in any publication about the issue after it has been resolved.
Thanks to Floor Terra for the example text on https://responsibledisclosure.nl/.