Skip to content

Vulnerability Disclosure Policy

Within ThreatFabric, great value is placed on (information) security. However, no matter how much effort we put into this, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it, so we can take steps to address it as soon as possible. Please follow the instructions below:

Email your findings to security@threatfabric.com. If possible, please encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands:

PGP Fingerprint = 87DF BB9F E881 89B7 C9FF  CDD5 9339 15A4 F60B 39BD

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGeFQloBEADxfbuiy5S5vn3ItRVV2kKVh1OKflpz+SkyS1rGOmZqagnk9RT6
IWgBUqa2PsphUBd7wL0IojpO5xOPv+6N7Nzru3MGwQxwPnkucDO7Pvfs30z4Sac1
mCq4cAYnxA2SQCaxDJDWnHt1YjaSngdFUTFhYn5ZNfY6p+T0Mv//YLZ1dybqVXlU
7UPXXdKy2GHOT0aILe1eWAqYzgLd1i/xXjwqf3DsDbH3tadL76WUpl0JusWrDQ45
EUvNzoHv2RLSXNrfPrmEbiOMiZelRwHvVpf9ieCXkhEWjuTgKQGp9sbxM29wrNsK
tk+uvXCYzmBjTKQ8ApOb4uo0jRE9KaaEXzB0OWXWzpX6ZvtFBU+KwJqlZltaB+pN
4Pllm/aIAB6m0jq0ReT/YquD74cHJ3oM26VVxJ1ayzxr86wql0uJ7XPHQIBAlwT+
zwyvZBoOTkcUDBjrELowI9zURH4/LE+kgfyBIWNBLMEtNBW5dU4URnT+udp4y8D2
W2v50+OFwsKk92sEK1eU2vEB29yrcjqEoHkdO2B/5A9gtdxQyeSrdzMM2STQczQ3
ykiLYkUzRKBZr94lzPde43GdA+HaZqq835mUUr6xfcT8AnMq/5ni9qyTJOYYwv/v
KNJtp7vznY2ZkCWgngBOqU56N4U3cNj93uxE5QiViGriEP9myZaAB+eqYwARAQAB
tDFUaHJlYXRGYWJyaWMgU2VjdXJpdHkgPHNlY3VyaXR5QHRocmVhdGZhYnJpYy5j
b20+iQJOBBMBCAA4FiEE70Otcr0fvU8/+dewPY8JAuMMORkFAmeFQloCGwMFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQPY8JAuMMORm/HA//TmgjPUopO1dadJSx
J08tFgpJ7WoR/tE1lecQS7dDhlNPWJ2CSJ/Q+kac74x+RazyhhD0J2XMlgeI7rIX
UeaxZkM7M+oexZlXn0uZXghd+R9IXNpR4v/Bs1ZQk4LEiOTkDz8jUsexoGo/6QBv
e+HdtaOCfULuyDjCtAobVMuMpsztJeJp0qcBvnlCUnkGOR76/flzvy6RXy2o/M12
zRa/N8UWDn7SBkhY0wumHjMjMVZedPhXoieFo5p4jmpZotwScpYxL/Awvyx92isP
LtdO4smMk9cdEledmsLaetN5gOcjnGWiQob2keQpBcA63ujZTW0qjA65TIHi9XSS
/SvUukNSBWuZdygY6YpVQ3kUPBeXbKDyDGyAhT/MChzdnuY1cdbcGHjN84vCKMD4
OzqrU6eL+ZTEixkcQM2S+NGPrgQgck8gUJAxnHNSkwCl6/c5UdkmLOs/Z5/4qj2q
Ck0XH8U+OB5RCI1chNJ1G2LbXkbEe/Fb9n0L7J2iP9fpDQEvTXXpBuNOyJmwNoAl
nLaOBIIptRzhg9xvyh79ww7OTlcgVXW543zaazaJWo2+71ZWL6fi8qYG1ED9nMHw
HS8glHiLvjgd8H5feCi2Ejpb+htflgQTCW4nksq2kRw6Gd+UB/UclNsZrt+gNMfX
R1BR1kpSBe6XJzt8mHAGUFZnTKu5Ag0EZ4VCWgEQAJiWFJ1UFJ8cZ3OfCqQcofKs
punNIBDa7ghWrgGUFMEm2Cgb6sJIqX64i8UzOPeGyGsKWzBeKcPdoXdoS5HNOb3h
Fc/UGtD8ZAgoB5erhRsqzKWmPsXRR4K/vNJ+TrtF3yCqI93r4VtlqvsVe/fQYJao
fMgCob4+R/dPNA6gBhcEsapj0BTO/zZqQ7kmYtl9JFv4xakgMfUDm3XGWCuEyPDL
ZoCjS/suoL0+c+Ni9kxHLbCCSR2NvYXmFdC/vs5qneteAoK/x5pUB78qTVmiP+zZ
lEyYcq09XaPuFTT7Qc2EMt9yXk+VHrlfUwUKLRj60rAg+ckbWKZj/U5YNQMNyDiA
2UhU1+Fpog9LoDRimCTLZXIGexwiNOr/HXfDswum9DEHCiP2uUKHqy+yZDFOTtim
1Za7Oju2TR08etrkBHXjQ+jVnCy8J3/YR9lYLnLCCJUPEfQ9K2Ndw7MZVM51nOre
xRQXsDbQM3SNz43LGZtM/nDiAzLnUCduxiAJkcqEQgpqACpKNQeYkjDS+v8GDJm4
gpXppe0YHgCN5wNRE6oQTApPDS8lUVw+Ct2SKfOVyD/Ek4k5iYi0wAoY33STE48Z
7MCna5rsk/bwIMOJErP7/SoN3pVRvwMYk8UexEU+UUmJwpygoW5fmQ0ThtCFuMTM
uXYJWee9PKxelB9X+ganABEBAAGJAjYEGAEIACAWIQTvQ61yvR+9Tz/517A9jwkC
4ww5GQUCZ4VCWgIbDAAKCRA9jwkC4ww5GQQMEACcUzU1SvhrwqTFsKLnf0YzV/EF
/mWIeetC7HT4UNKXt6pCzO1fjuQRAyMYpaHuMn+UNa6qBa/8PlSok0W67WfdByEG
1TEiKKi4Q3dHLeikxNSQKH6byrSCXc+0DK40EFvWRpCmqPScv8BBse9KqG0cVEg+
GLv1tN0SZNP6OskpAaYffYRZSeGxKZDRhrSYipAs9TLVP5Bgm1L0dJVsE9o8gk6I
VBkm1aRqccNmUoPemuzn4MADEq0VGceUNeZizJqBaz0YeDHFgaksyXJ462WQDZTt
i89bx6qMhDFkv1XeE2a3rK6qqfwdyUoovoCLVJRxzf1L3cqHo7Em63J+eKoZFA9D
5arb6ekj4iWJVMyvx7cAfvCUYNQbid5ituwusZ2h6F+jLJ3gaK5WjbSqsYzpbcmq
YrFtj3UhllyIN7+o8S4rll19KK9vZfDRSvdA1HjOldp5Slw7XyLBFC80De/S1O4a
o9f+NxR9X2ppZcl294fEgw7aDuU3Luhswsq3ojLONDeAFcl5pqugMKb7aHiq2xtV
ITbviS2jLsEBYDaB9eqn8WDvO4G9ptK0oJkb8rfLjj0IYNYLE5G5CUwZL0YXTRpo
6uv/MRHKK6R7fcv0aTBzl/eKT3zUTj4w68w/Md056HCQAz93r/QANC8by5QumiCH
DP/qDlmNItJ0rjccwQ==
=JOUP
-----END PGP PUBLIC KEY BLOCK-----
 

We require you:

  • Not to take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying existing data.
  • Not to reveal the problem to others until it has been resolved.
  • Not to use the information to execute attacks on physical security, applications of third parties or perform social engineering, distributed denial of service, phishing, or spam.
  • To provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP-address (or the URL) of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

We promise you:

  • We will respond to your report within five business days.
  • We will not take legal action against you regarding the information you shared with us if you have followed the instructions above (paragraph ‘We require you to’).
  • We will handle the information you shared with us with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • We strive to resolve all problems as quickly as possible.

Exclusions

This vulnerability disclosure is not intended for:

  • reporting complaints.
  • reporting fake emails (phishing emails).
  • reporting fraud.

We also exclude specific problems that, in our opinion, do not constitute a threat.

Excluded systems

All systems other than domains ending in:

  • threatfabric.com.
  • threatfabric.org.
  • threatfabric.net.

Excluded types of security problems

  • SPF/DMARC records.
  • (D)DOS attacks and rate limiting of calls.
  • Problems that amount to self-XSS.
  • Error messages without sensitive data.
  • Software (version) disclosure.
  • Resolved vulnerabilities.