Responsible disclosure policy
Responsible Disclosure Policy
At Maxem, the security of our systems is extremely important to us. Despite our continuous efforts to keep our systems secure, vulnerabilities may still exist. If you discover a security vulnerability in one of our systems, we would greatly appreciate you reporting it to us so that we can take appropriate measures as quickly as possible. We value your help in protecting both our customers and our systems.
We ask that you:
Report your findings by email to security@maxem.io. Please encrypt your report using our PGP key to prevent sensitive information from falling into the wrong hands.
Do not exploit the vulnerability. For example, do not download more data than is necessary to demonstrate the issue, and do not access, delete, or modify data belonging to others.
Do not disclose the vulnerability to others until it has been resolved, and delete any confidential information obtained through the vulnerability immediately after it has been fixed.
Do not use attacks involving physical security, social engineering, distributed denial-of-service (DDoS), spam, or third-party applications.
Provide sufficient information for us to reproduce the issue so that we can resolve it as quickly as possible. In most cases, the IP address or URL of the affected system and a description of the vulnerability will be sufficient. More complex vulnerabilities may require additional information.
What We Promise
We will respond to your report within three days, providing our initial assessment and an estimated timeframe for resolving the issue.
If you have complied with the conditions outlined above, we will not take legal action against you in relation to your report.
We will treat your report confidentially and will not share your personal information with third parties without your permission, unless required by law. You may also submit your report anonymously or under a pseudonym.
We will keep you informed about the progress of resolving the issue.
If you wish, we will acknowledge you as the discoverer of the vulnerability in any public communication regarding the issue.
We aim to resolve all reported vulnerabilities as quickly as possible. If you intend to publish information about the vulnerability, we kindly ask that you coordinate with us and wait until the issue has been resolved before doing so.