Vulnerability Disclosure Policy
This Vulnerability Disclosure Policy is aimed at security researchers engaging in independent discovery of potential security issues on websites. Our goal is to work collaboratively with the security community to improve our cyber resilience and protect user data.
Formål og anvendelse
This policy only covers websites that have a .well-known/security.txt file present. Any website without this file is considered out of scope for this policy.
When researching, we ask that you refrain from:
· Testing physical security measures, such as office access (e.g., open doors, tailgating).
· Employing social engineering techniques (e.g., phishing, vishing).
· Reporting issues from applications or systems not explicitly listed in the ‘Scope’ section.
· Identifying UI/UX bugs and spelling errors.
· Exploring network level Denial of Service (DoS/DDoS) vulnerabilities.
· Investigating TLS configuration weaknesses (e.g., support of “weak” cipher suites, TLS 1.0, etc.).
· Conducting tests that involve overwhelming our service with high volume requests (volumetric vulnerabilities).
· Reporting non-exploitable vulnerabilities or discrepancies from “best practice” standards, such as missing security headers (CSP, x-frame-options, x-prevent-xss, etc.) or suboptimal email configurations (SPF, DMARC, etc.).
If you’ve discovered a security issue within our defined scope, please report it to us by:
· Sending an email to security@jfm.dk
· Providing detailed information about the potential vulnerability, including steps to reproduce, potential impact, and any other relevant data.
Upon receiving your report, we will:
· Acknowledge receipt within 48 hours office time.
· Work with you to understand and resolve the issue rapidly.
· Keep you informed about our progress.
We ask that you:
· Do not disclose the issue to others until it has been resolved.
· Avoid data deletion, alteration, or access to data beyond what is necessary to demonstrate the vulnerability.
· Comply with all applicable laws and regulations in the course of your research activities.
Your efforts in making the internet a safer place are highly appreciated, and we commit to collaborating openly and respectfully with the security research community.
We appreciate the time and effort taken by security researchers in their pursuit of enhancing cybersecurity. However, please be aware that we currently do not offer a bug bounty program or monetary rewards for vulnerability disclosures. We understand the value of your contributions and acknowledge the important role they play in safeguarding our digital assets. Your understanding and cooperation in this matter are greatly appreciated, and we encourage you to continue to report any potential security issues you find in accordance with this policy.