Responsible Disclosure Policy - Order2Cash

Order2Cash takes the security of its software, technologies, and the protection of the data hosted within, very seriously. Although we keep a vigilant watch and regularly test our systems and procedures, there remains always the possibility of a vulnerability in our software applications. Help us by reporting any vulnerability you find. This way we can ensure the vulnerability is patched as quickly as possible. Please do not make a vulnerability public, before working with us on a solution first. We are not trying to cover up our mistakes, but making a vulnerability public might have serious consequences for all our customers.

How can you report problems?

Any vulnerability found in our services may be disclosed through the web form below. You can also use this form to disclose problems anonymously.

  • Use the form below to alert us to the vulnerability.
  • When completing the form, please provide a detailed description of the issue as this will aid us in trying to reproduce the matter, and help us to address and fix the problem in a timely fashion. Details should include the URL or IP address of the affected system and a clear description of the vulnerability. If we require extra information, we will contact you.

Rules of the game

We would like to ask you to only share the problem with Order2Cash’s experts and to refrain from making it public. In this way, we can keep our clients’ data safe. We appreciate it if you give us time to solve the problem.

When you investigate a vulnerability, please do not damage the software. You are not permitted to disclose information to anyone except Order2Cash. Moreover, it is not allowed to interrupt our services deliberately because you are investigating a problem.

It is possible that you do something which is illegitimate in your investigation. If you are acting in good faith, with due care, and in accordance with the rules below, you will not be prosecuted.

We would like to ask you:

  • to describe clearly with your report how it is possible to abuse the security problem. Give a step-by-step explanation if you can.
  • to not use any social engineering to get access to our systems.
  • to not insert a back door in an information system to show the weak spot.
  • to only do what is strictly necessary to show the vulnerability.
  • to not copy, change or delete data. Send us only (minimal) information which you need to demonstrate the problem. Make a directory listing, for example.
  • to minimize any attempts to gain access to the system and to not disclose any information about access gained to third parties.
  • to not use any ‘brute force attacks’ to enter our systems.
  • to submit only one security problem with each report.
  • to reply if we need extra information about the problem you have found; to never contact Order2Cash’s staff directly or through any channels other than the form.

What will we do with your report?

On receipt of your report through the web form, you will automatically receive a confirmation of receipt. You will hear within 3 working days what we will do with your report.
We will only use your contact details to communicate with you about your report. We will not share these with third parties, except if we are obliged to do so by law. For example, if we are asked to do so by judicial authorities or if we regard your action as a criminal offence (and you have therefore not acted in good faith) and report this to the police.

If you have reported the problem anonymously, we will be unable to keep you informed.

What should not be reported?

This Responsible Disclosure Scheme is neither meant for lodging complaints, nor must it be used for reporting:

  • that the website or application is not available
  • fraud
  • fake emails (phishing emails)
  • viruses

Report a vulnerability by filling in the form below.