Responsible Disclosure Policy
1. Introduction
At Mediagenix we take the security of our systems and data very seriously. Despite our concern for the security of these systems, no system is 100% secure. If you have found a vulnerability in one of our systems, please let us know so that we can take measures as quickly as possible.
This Responsible Disclosure Policy outlines how you can report security vulnerabilities to us in a responsible and mutually beneficial manner.
2. Scope
This policy applies to all individuals, including employees, contractors, vendors, and external security researchers, who discover potential vulnerabilities in any system, application, or infrastructure owned or operated by Mediagenix. In any case of doubt, please contact security@mediagenix.tv to clarify matters.
We recognize the importance of collaboration with the security community to identify and address potential vulnerabilities.
Gaining or attempting to gain unauthorized access to an IT system is punishable even if the IT system is insecure and the person is acting with good intentions.
However, access to our IT systems and equipment is only permitted with the intention of improving security, informing us of existing vulnerabilities and in strict compliance with the other conditions set out in this document.
3. What we ask of you
If you discover a vulnerability in one of our systems, we ask you to:
- Report the vulnerability as soon as possible after discovery. Mail your findings to security@mediagenix.tv and encrypt them with our PGP key to prevent the information from falling into the wrong hands.
- Provide sufficient information to reproduce the vulnerability so that we can solve the problem as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but for more complex vulnerabilities more information may be needed.
- Leave your contact details, so that MEDIAGENIX can contact you to work together for a secure and complete result. Leave at least your name, e-mail address and/or telephone number. Reporting under a pseudonym is possible, but make sure that we can contact you if we should have additional questions.
- Confirm that you have acted and will continue to act in accordance with this Responsible Disclosure Policy.
4. Rules and principles you must follow
4.1. Publication
Acts under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities and sharing this information with Mediagenix. You may only publish information about the vulnerabilities you discovered after they have been remediated. You will notify us at least one month before publication and give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.
4.2. Proportionality
You undertake to comply strictly with the principle of proportionality in all your activities, i.e. not to disrupt the availability of the services provided by the system and not to make use of the vulnerability beyond what is strictly necessary to demonstrate the security flaw. Your approach must remain proportionate: if the security problem has been demonstrated on a small scale, no further action should be taken.
4.3. Actions that are not allowed
You are not permitted to take the following actions:
- Copying or altering data from the IT system or deleting data from that system.
- Changing the IT system parameters.
- Installing malware: viruses, worms, Trojan horses, etc.
- Distributed Denial of Service (DDOS) attacks or any attack that causes service degradation, by accident or on purpose.
- Social engineering attacks.
- Phishing attacks.
- Spamming.
- Stealing passwords or brute force attacks.
- Installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public.
- Intentionally intercepting, storing, or receiving communications not accessible to the public or of electronic communications.
- Deliberately using, maintaining, storing, communicating, or distributing the content of non-public communications or of data from an IT system where the participant should reasonably have known it had been obtained unlawfully.
4.4. Confidentiality
You must strictly refrain from sharing or disclosing any information collected under our policy with third parties without our prior and explicit consent.
Similarly, it is not permitted to reveal or disclose computer data, communication data or personal data to third parties.
4.5. Bonafide execution
Mediagenix undertakes to implement this policy in good faith and not to take legal action, either civil or criminal, against all parties who comply with the conditions stated in this policy.
You must be free of fraudulent intent, intent to harm, intent to use or intent to cause damage to the visited system or its data.
If there is any doubt about any of the conditions of our policy, the participant must first ask our contact point via mail at security@mediagenix.tv and obtain its written consent before acting.
5. What we promise
- If you have complied with the above terms of the Responsible Disclosure Policy and have not committed any other breaches, we will not take any legal action against you.
- We will respond to your report within a short period of time, usually, within 10 working days, with our review of the report and any expected date for resolution.
- We will treat your report confidentially and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation.
- We will keep you informed of the progress of solving the problem.
- To thank you for any report of a security problem that is not yet known to us, we offer the opportunity to be listed in our “Hall Of Fame“.
- We strive to solve all problems within a short period of time.
- We may choose to ignore low quality reports.