Responsible vulnerability disclosure policy

Introduction

The information on this page is intended for security experts and ethical hackers who wish to inform us of the existence of security breaches on our website and those of our customers.

Your help is very valuable, so we invite you to report us, as soon as possible, any security flaw discovered in one of our developments, without disclosing it publicly before it is corrected.

We will investigate all reports we receive and apply the necessary fixes as soon as possible.

Responsible Disclosure Rules

Contact us using the information below and allow us a reasonable amount of time to fix security vulnerabilities before reporting them publicly.

Provide us with enough details about the vulnerabilities to allow us to identify them accurately. Do not hesitate to include the addresses concerned, the parameters used and any other data or documents that can guide us in solving the problem.

do not ask for financial compensation;
do not disclose vulnerabilities discovered on an external market for security vulnerabilities;
do not use denial of service techniques to undermine the connectivity of our services;
avoid the destruction of data during your operations;
do not use phising or hacking against FACIL’iti employees, our customers or against the users of our services.

If these basic rules are respected and if the problem identified turns out to be real, we will be happy to thank you publicly on this page by publishing your first and last name (or pseudonym) as well as a link to your website.

How to contact us ?

To report a vulnerability to us, you can contact us at security@facil-iti.com.

If you wish to send us sensitive data in a secure manner, our GPG key is accessible at the address www.facil-iti.com/.well-known/security-pgp-key.txt. We will respond to you as soon as possible after analyzing the information provided.

FACIL’iti sincerely thanks the researchers and security experts for their efforts and their participation in this program.