EFFECTIVE DATE: 13 JUNE 2024
Responsible Disclosure
The safety and security of our customers is an essential priority for DebtCo, and we are committed to it. Toward this end, DebtCo has formalised this policy for accepting vulnerability reports in our products. We hope to foster an open partnership with the security community, and we recognise that the work the community does is important in continuing to ensure safety and security for all of our customers.
We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-Āāfaith security researchers that are providing us with their expertise.
āThis Responsible Disclosure has been created with help of NTIA Safety Working Groupās Vulnerability Disclosure Template Version 1.1.
Scope
This Vulnerability Disclosure Program initially covers the following products:
- The FinView Hub Platform - UK
- The FinView Hub Platform - EU
- The FinView Control Platform
- The FinView Access Platform
- The FinView Access App - Apple
- The FinView Access App - Google
- The DebtCo Website
While DebtCo develops other products, we ask that all security researchers submit vulnerability reports only for the stated product list. We intend to increase our scope as we develop other products.
Legal Posture
We will not engage in legal action against individuals who submit vulnerability reports to DebtCo's Security Team. We openly accept reports for the currently listed products. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming DebtCo or its customers.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhere to the laws of their location and the location of DebtCo. For example, violating laws that would only result in a claim by DebtCo (and not a criminal claim) may be acceptable as Debtco is authorising the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-Āupon time frame expires.
Terms and Conditions
By submitting information in the scope and context of this Policy ("the Report") to DebtCo:
- You agree that you are acting in good faith and commit to adhering to the guidelines laid out in this policy.
- You agree that DebtCo may use the Report to update and/or improve its software; and you grant to DebtCo a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to DebtCo licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose the Report in any manner DebtCo chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of DebtCo and its sub licenseeās products or services embodying Report in any manner and via any media DebtCo chooses, without reference to the source. DebtCo shall be entitled to use the Report for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives.
How to Submit a Vulnerability
To submit a vulnerability report to DebtCo's Security Team, please send an e-mail to security@debtco.io
Preference, Prioritisation, and Acceptance Criteria
We will use the following criteria to prioritise and triage submissions.
What we would like to see from you:
- Well-Āwritten reports in English
- Reports that include proof-Āof-Āconcept code
- Reports that include more than only crash dumps or other automated tool output
- Reports that include how you found the bug, the impact, and any potential remediation.
What you can expect from us:
- A timely response to your email
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability has been validated and fixed.
ā
EFFECTIVE DATE: 13 JUNE 2024
Responsible Disclosure
The safety and security of our customers is an essential priority for DebtCo, and we are committed to it. Toward this end, DebtCo has formalised this policy for accepting vulnerability reports in our products. We hope to foster an open partnership with the security community, and we recognise that the work the community does is important in continuing to ensure safety and security for all of our customers.
We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-Āāfaith security researchers that are providing us with their expertise.
āThis Responsible Disclosure has been created with help of NTIA Safety Working Groupās Vulnerability Disclosure Template Version 1.1.
Scope
This Vulnerability Disclosure Program initially covers the following products:
- The FinView Hub Platform - UK
- The FinView Hub Platform - EU
- The FinView Control Platform
- The FinView Access Platform
- The FinView Access App - Apple
- The FinView Access App - Google
- The DebtCo Website
While DebtCo develops other products, we ask that all security researchers submit vulnerability reports only for the stated product list. We intend to increase our scope as we develop other products.
Legal Posture
We will not engage in legal action against individuals who submit vulnerability reports to DebtCo's Security Team. We openly accept reports for the currently listed products. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming DebtCo or its customers.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhere to the laws of their location and the location of DebtCo. For example, violating laws that would only result in a claim by DebtCo (and not a criminal claim) may be acceptable as Debtco is authorising the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-Āupon time frame expires.
Terms and Conditions
By submitting information in the scope and context of this Policy ("the Report") to DebtCo:
- You agree that you are acting in good faith and commit to adhering to the guidelines laid out in this policy.
- You agree that DebtCo may use the Report to update and/or improve its software; and you grant to DebtCo a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to DebtCo licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose the Report in any manner DebtCo chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of DebtCo and its sub licenseeās products or services embodying Report in any manner and via any media DebtCo chooses, without reference to the source. DebtCo shall be entitled to use the Report for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives.
How to Submit a Vulnerability
To submit a vulnerability report to DebtCo's Security Team, please send an e-mail to security@debtco.io
Preference, Prioritisation, and Acceptance Criteria
We will use the following criteria to prioritise and triage submissions.
What we would like to see from you:
- Well-Āwritten reports in English
- Reports that include proof-Āof-Āconcept code
- Reports that include more than only crash dumps or other automated tool output
- Reports that include how you found the bug, the impact, and any potential remediation.
What you can expect from us:
- A timely response to your email
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability has been validated and fixed.
ā
Get in touch with DebtCo
Have questions? Get into contact with one of our support
Give us a call
Our office is open Monday to Friday between 9am and 5pm
Send us a WhatsApp
We usually respond within 24 hours to your message
Drop us an Email
Reach us at: uk@debtco.io
Plan an interactive demo
Ready to get your unpaid invoices settled? The team at DebtCo is eager to collaborate and provide a seamless, no-win, no-fee service that aligns with your financial goals. Contact us today for a successful and results-driven partnership.
Give us a call
We are open between 9am and 5pm, Monday to Friday.
Visit our office
Kings Chambers. Queen Street. Derby. DE1 3DS
Send us an email
Drop us an email at uk@debtco.io