logo

Loading...

Responsible Disclosure Policy

Your efforts to help us keep our services safe and secure are greatly appreciated.

Our Commitment

At ITGOIT, we consider the security of our systems a top priority. However, no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

How to Report a Vulnerability

Please send your findings by using the button below. We highly encourage you to encrypt your message using our OpenPGP key to protect the information. Please follow the rules below:

  • Provide sufficient information to identify the problem so that we can address it as quickly as possible. The IP address or URL of the system and a description of your findings are often sufficient. However, for complex problems, more information may be necessary.
  • Leave your contact details so that we can get in touch with you.
  • Report your findings to us as soon as possible after discovery.
  • Do not share information about your findings with anyone except the designated persons at ITGOIT.
  • Handle the knowledge of your findings with care and only use it to inform us of what you have discovered.
Report via Email

Scope

In Scope

  • Any domain or service directly owned by ITGOIT, such as itgoit.nl and its subdomains.
  • Our customer-facing web applications and APIs.
  • Our backend infrastructure directly supporting in-scope services.

What You Do Not Need to Report (Out of Scope)

  • Clickjacking on pages with no sensitive actions and without a documented series of clicks that can exploit a sensitive functionality.
  • Cross-Site Request Forgery (CSRF) for non-significant actions.
  • CORS misconfigurations when the Credentials header is not set.
  • Missing HTTP security headers that do not directly lead to a vulnerability (e.g., CSP, HSTS, X-Content-Type-Options, etc.).
  • Missing best practices in SSL/TLS configuration.
  • Missing best practices in Content Security Policy.
  • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
  • Missing cookie flags on cookies that do not hold session or other sensitive information.
  • Information Disclosure – default exposed config files with no sensitive data.
  • Open redirect vulnerabilities that do not demonstrate additional security impact.
  • Content spoofing and text injection issues without showing an attack vector or being able to modify HTML/CSS.
  • Host header Injection with no demonstrable impact.
  • Vulnerabilities reported shortly after their public release (please allow a reasonable time for patching).
  • Vulnerability reports from automated tools without validation.

Safe Harbor

We consider activities conducted consistent with this policy to constitute authorized conduct under the Computer Fraud and Abuse Act. To the extent your activities are consistent with this policy, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We hope that you will, in turn, not engage in any legal action against ITGOIT.