Coordinated Vulnerability Disclosure Policy
The security of our systems is our top priority. If you discover a vulnerability in one of our systems, please let us know so that we may take action immediately. As a token of our appreciation, we offer a reward for the first report of an unknown vulnerability.
What we ask from you
- Stay in scope, use https://sandbox.elabjournal.com or https://preview-developer.elabnext.com/ for your tests.
- Send an email of your findings to security@elabnext.com. If you only want to send your email encrypted, please inform us at the above email address. We will send you instructions on how to send us encrypted information.
- Provide sufficient information to reproduce the problem. Usually, the IP address or the URL and a description will do, but complex vulnerabilities may require further explanation.
- Do not misuse or exploit the vulnerability or problem, for example, by downloading more data than necessary. Or by consulting, deleting or modifying other people’s data.
- Do not reveal the problem to others until it has been solved. Did you obtain confidential data through the leak? Delete these as soon as the problem has been solved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
The email address security@elabnext.com can only be used for notifications of vulnerabilities in our security measures. Any other questions or remarks relating to the use of the eLabNext website will not be answered.
What we promise
- We will respond to your report within 7 business days.
- We will provide our evaluation of the report and an expected solution date. Also we will classify the vulnerability as low, medium, high or critical.
- We will handle your report with strict confidentiality. We will not share your personal details with third parties unless we are under a legal obligation to do so. You can also report a problem anonymously.
- We will keep you updated on the progress of the solution to the problem.
- In any public information concerning the problem, we will include your name as the discoverer, but only if you want us to.
- We offer a reward for any first report of an unknown vulnerability. The exact reward will be determined by the severity of the vulnerability and the quality of the report, ranging from an honourable mention to a monetary reward.
- We strive to resolve any vulnerability as soon as possible.
Rewards based on severity
If you have followed the instructions above, we will not take any legal action against you in regard to the report.
* In case federated login (e.g. LDAP/AD/ AD FS/ Single Sign-On) is active, passwords are not required and not stored.
In addition to the required personal data, the system has the option to store other personal data, such as job title or the organisation address. All Bio-ITech software applications provide direct access to all personal data in the user profile from where the user has the option to remove or change any personal information in the system. For customers with a Private Cloud or On-Premises installation, the System Administrator / Key-User can change the privacy policy for GDPR compliance in the system setting.
Hall of Fame
The Security Researchers Hall of Fame honors the exceptional contributions of individuals who have significantly enhanced our cybersecurity by identifying and reporting vulnerabilities. These dedicated researchers, through their expertise and ethical commitment, play a crucial role in safeguarding our digital realm, driving advancements in security practices, and protecting countless systems and data. This hall of fame celebrates their remarkable skill, integrity, and dedication, acknowledging the profound impact they have on our digital lives and ensuring a safer future for all.