Skip to main content

Responsible disclosure Blue10

At Blue10, we consider the security of our systems, our network and our products highly important. Despite the fact that we take great care of our information security, it may occur that a weakness is discovered. If this is the case, we would like to hear about it as soon as possible so that we can take prompt action.

Weaknesses can be discovered in two ways: you accidentally discover one by using the digital environment as usual or you make an explicit effort to find one.

Our responsible disclosure policy is not an invitation to actively scan our company (or corporate) network for vulnerabilities. We monitor our network ourselves. As a result, there is a good chance that a scan will be noticed by our Security Operation Center (SOC), they will investigate it and unnecessary costs may be incurred. Costs for services provided by our SOC, which are caused by parties who actively and or intentionally scan for weak spots without express permission from Blue10 and therefore do so of their own accord, will be recovered from the relevant party that performed this action.

We would like to collaborate with you to protect our customers and systems better.

If you discover a vulnerability, we ask you to:

  • Mail your discoveries as soon as possible to compliance@blue10.com
  • Not abuse the vulnerability by downloading, changing, or deleting any data. We always take your report seriously and will investigate any suspected vulnerability, even without ‘proof’.
  • Refrain from sharing the problem with others until it has been resolved.
  • Refrain from using any attacks on the physical security, social engineering, or hacking tools, like vulnerability scanners.
  • Provide us with sufficient information to reproduce the problem, so we can resolve it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be needed for more complex vulnerabilities.

What we promise:

  • We respond to your report with a review and an expected resolution date within five working days.
  • We treat your report with confidentiality and do not share your personal data with external parties without your permission.
  • We keep you updated on the progress status for the resolution of the problem.
  • If preferred, we share your name as discoverer in reporting of the problem.
  • Unfortunately, it is not possible to rule out any juridical processes against you in advance. We want to be able to weigh up each situation individually. We consider ourselves morally obliged to press charges when we suspect that the vulnerability or data are being abused or when you share knowledge of the problem with external parties. You can rest assured that an accidental discovery in our online environment will not lead to pressing charges.
  • To thank you for your help, we offer a reward for every report of a security problem as yet unknown to us. We determine the size of the reward based on the severity of the leak and the quality of the report.

We strive to solve all problems as soon as possible and keep all involved parties updated. We would like to be involved in any publication on the problem after it has been resolved.

Customers of Blue10 have their own responsibility to work securely with cloud applications like Blue10. All that is expected of our customers in described in our Security & Privacy Whitepaper.