24-mSafe-logo-design-RGB-Landscape
Start gratis

Responsible Disclosure

As a security company, we recognize that any system or infrastructure can become vulnerable over time. We encourage responsible disclosure of security vulnerabilities to help protect our customers, partners, stakeholders, and ourselves. Making the digital world a safer place.

Reporting a Vulnerability

If you discover a security vulnerability, please report it to us via support@msafe.nl.

Safe Harbor

We will not take legal action against individuals who report vulnerabilities in good faith and in accordance with this policy. If third parties initiate legal proceedings due to activities that comply with this policy, we will take steps to clarify the responsible disclosure to the relevant parties and/or legal authorities.

Our Commitment

  • We will promptly review and respond to all vulnerability reports.
  • We will engage in an open dialogue with you.
  • We will provide a timeline for when we expect the issue to be resolved.
  • We follow the 90-day disclosure deadline as a standard practice.


Your Commitment

By submitting a vulnerability report, you agree to:

  • Use discovered vulnerabilities only for responsible disclosure.
  • Report vulnerabilities exclusively and privately to us as soon as they are detected.
  • Avoid actions intended to harm us, our customers, partners, or stakeholders.

 

Reward

As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us and is not on the list of exclusions. The amount of the reward will be determined based on the severity of the leak and the quality of the report.

Scope of the Vulnerability Disclosure Policy (VDP)

The following systems are covered under this policy:

  • Web application: app.msafe.nl


Out of scope:
Systems used solely for marketing purposes, including:

  • Marketing website: mSafe.co
  • Landing pages associated with marketing campaigns


Prohibited Activities

The following actions are strictly not allowed:

  • Denial-of-service (DoS) attacks, including resource exhaustion, high-load automated scanning, data deletion, fuzzing, etc.
  • Spamming
  • Social engineering (e.g., phishing attempts)
  • Gaining physical access, including unauthorized entry or surveillance
  • Targeting non-internet-facing systems, such as internal networks, private IPs, or employee workstations
  • Installing persistent backdoors


Exclusions (Out of Scope Issues)

The following are not considered valid security vulnerabilities under this policy:

  • Issues with no direct security impact, such as missing best practices or hardening measures
  • Broken links
  • Attacks requiring unrealistic preconditions, such as using outdated browsers or vulnerable plugins
  • Lookalike domain registrations
  • Homograph attacks
  • Metadata in files (e.g., images, PDFs)
  • Theoretical attacks without a practical exploit scenario
  • Outdated software without a proven security impact
  • Recently patched vulnerabilities in third-party software (within two weeks of public disclosure)
  • Email security settings (DKIM, SPF, DMARC, AAC records)
  • Missing HTTP headers (e.g., CSP, Permissions-Policy)
  • Clickjacking
  • Missing cookie security flags
  • Disclosure of non-sensitive information (e.g., robots.txt, sitemap.xml, public files or directories)
  • Low or no impact CSRF attacks
  • Self-attacks
  • Open ports


Thank You ❤️

We appreciate everyone who takes the time to report security vulnerabilities and contribute to a safer online environment.

mSafe

We hebben iets meer info nodig