The rules of responsible disclosure of vulnerabilities include, but are not limited to:
- Avoid accessing, exploiting or exposing of any customer/personnel data other than your own,
- Avoid any action that may cause a degradation of our services, or will harm our customers (for example overloading our systems),
- Keep details of vulnerabilities secret for at least 90 days after Sioux has been notified, based on our research we may extend this secrecy period,
- Do not use any social engineering techniques, such as sending phishing emails to Sioux’s employees, partners or customers,
- When methods are used that do not comply with your local law, Dutch law and/or the above mentioned responsibility rules, enforcement authorities will be notified
Our security team assesses if you’re eligible for a bounty. We use the following guidelines to determine the validity of requests and the reward compensation offered.
- Currently, only Sioux personnel can be eligible for a bounty. This may change in the future, we hope this does not stop you from participating in this program
Our security team and engineers must be able to reproduce the reported security flaw. Make sure your report is clearly written and includes all the necessary information so we can reproduce the flaw. Please include:
- Type of vulnerability issue
- In case the vulnerability is in one of our services include the URL/IP
- The potential impact of the vulnerability
- Step-by-step instructions to reproduce the issue, including any proof-of-concept or exploit code to reproduce
Definition of a Vulnerability
To be eligible for a reward, your report must be considered valid by the Sioux security team. Examples of Non-Qualifying Vulnerabilities
- Denial of Service vulnerabilities (DOS)
- Mixed-content scripts and insecure cookies outside of our platform
- Social engineering attacks against Sioux Personnel
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
- Unconfirmed/unverified reports from vulnerability scanners
- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
- Only one bounty will be awarded per vulnerability
- If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
- Our reward system is flexible. We have no minimum or maximum amounts as rewards are based on severity, impact and report quality.
- Vulnerabilities affecting our infrastructure typically have a higher impact.
- To receive a reward, you must reside in a country not on sanctions lists.
- This is a discretionary program and Sioux reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.
You can contact us via firstname.lastname@example.org to report any vulnerability or questions about this program. If you’re sharing any security flaw or sensitive information with us, we strongly encourage you to encrypt this email using PGP, our key is in many public registries. (keys.openpgp.org)
By submitting a report, you grant us a perpetual, worldwide, royalty-free, irrevocable, and non-exclusive license to use and modify your submission into Sioux’s Products and services.