Responsible disclosure

2. Scope

This policy covers:

• the Soveryne website (soveryne.com);
• the Soveryne application and its APIs.

3. How to report

Send your report to security@soveryne.com. For sensitive details, encrypt your message with our PGP key (PGP key to be published).

Please include enough detail for us to reproduce the issue:

• the affected URL, endpoint or component;
• clear steps to reproduce, and a proof of concept if possible;
• the impact you believe the issue has.

4. What we ask of you

• Act in good faith and avoid privacy violations.
• Do not access, modify or delete data that is not yours; use only test accounts and your own data.
• Do not degrade or disrupt our services. No denial-of-service, volumetric, load or stress testing.
• No social engineering, phishing, or physical attacks against our people or premises.
• Give us a reasonable time to resolve the issue before any public disclosure, and coordinate timing with us.

5. What you can expect from us

• We acknowledge your report within 5 business days.
• We give you an indication of the expected timeline and keep you informed of progress.
• Safe harbor: we consider good-faith research conducted under this policy to be authorised, and we will not pursue legal action for it.

6. Out of scope

The following are generally out of scope and we may close such reports without action:

• denial-of-service, volumetric, load or stress testing;
• spam, or social engineering of our staff or users;
• automated scanner output without a demonstrated, exploitable impact;
• vulnerabilities in third-party services we do not control;
• physical attacks.

7. Recognition

We do not operate a paid bug bounty at this time. With your permission, we are happy to acknowledge your contribution.

8. Contact

security@soveryne.com. Soveryne B.V., KvK 42030650, Lange Groenendaal 110A, 2801 LV Gouda.