The security of our websites and software products is essential to us and our customers. In spite of our care, procedures and best efforts it is possible that there are vulnerabilities in our websites or software products. If you find any, please tell us as soon as possible so we can fix it.
Scope:
You may check the following domains (including subdomains) for vulnerabilities:
- really-simple-plugins.com
- really-simple-ssl.com
- scan.really-simple-ssl.com
- translate.really-simple-plugins.com
- api.really-simple-security.com
You may test the following WordPress plugins for vulnerabilities:
These plugins have paid premium versions, if you want to test these you will have to buy a license through the respective websites.
We ask you to:
Report your findings at: https://really-simple-ssl.com/submit-a-vulnerability/
- Inform us of the vulnerability as soon as possible after you discover it.
- Give us enough information to be able to reproduce the problem so we can fix it a.s.a.p. Usually the URL or file that contains the vulnerability and a description of the vulnerability is enough but when the issue is complicated more info may be required.
- Give us your contact information so we can contact you when we have questions.
- Do not share any information regarding the vulnerability with third parties until it is fixed. This includes third party vulnerability and bug bounty programs because this would cause us additional work coordinating communications that could be spent on fixing the vulnerability.
- Be responsible by not taking any actions other than the minimum required to verify the vulnerability.
The following is explicitly NOT allowed:
Doing any of these things without explicit prior written consent from use may result in a report to law enforcement and or legal action against you!
- Uploading malware, virusses, trojans etc.
- Changing or removing information
- Changing the system configuration
- Sharing access with others
- Using denial-of-service attacks
- Anything that damages or has a negative impact on the availability of our websites, or the systems of the users of our software
If you think you have found a vulnerability but feel you cannot produce proof of compromise without complying with the above restrictions, please contact us.
What you can expect from us:
- If you play by the rules set above when finding security vulnerabilities, we will not pursue any legal action against you regarding the discovery of the vulnerabilities you reported to us.
- We treat every report with the highest confidentiality and will never share your personal information without your express consent, unless we are forced to do so by a legally binding court order.
- If you give us permission, we will credit you for reporting a confirmed vulnerability by putting your name in a thank you section on our website and release notes.
- We will send you a confirmation of the receipt of your report within one business day
- We will respond to a report within 3 business days with an assessment of the vulnerability and the expected time needed to fix the issue
- We will keep you informed of the progress we make in fixing the issue
- We aim to fix the issue reported by you a.s.a.p. The maximum time we may take to fix any issue is 60 days after getting the report.
What we do with vulnerabilities we find ourselves:
When we find vulnerabilities in software of websites we use we will inform the responsible parties according to their responsible/coordinated vulnerability disclosure policy.
Bounties
Only reports of real vulnerabilities with proof that you personally can exploit them are eligible for rewards. We may reward those vulnerabilities with proof of compromise with monetary compensation ranging from €25 to €1000, depending on the possible impact of the vulnerability. Eligibility and size of bounties are solely at our discretion.
Please DO NOT submit output from automated scanning tools without personally verifying the reported vulnerabilities.
Any time spent by us on invalid reports you make, will limit any bounties you may receive for real vulnerabilities in the future!
- Compliance with this policy is a prerequisite for being eligible for a reward, violation of this policy may lead to permanent exclusion from our bounty program.
- Reports of Denial Of Service vulnerabilities do NOT qualify for rewards.
- Reports of old software versions or missing best practices without proof of exploitability do NOT qualify for rewards
- In case of duplicate reports (multiple reports about the same vulnerability) only the first submitter will be eligible for a reward
Reporting data breaches
Your privacy and the confidentiality of you and your data is very important to us. In spite of the care we take protecting your data it is possible for information to leak. This is how we would handle such an event:
What we consider a data breach
A situation where we know or can reasonably suspect that unauthorized access to personal or business information entrusted to us has occurred
How we respond to a data breaches
After finding out about the data breach, our highest priority is fixing the leak and preventing damage to those concerned. We will investigate the breach to determine how and what data was leaked, what the cause of the breach was and who had access to the leaked data. We will take actions to prevent this from happening again. When we find illegal acts have been a factor in the data breach we will report this to the police.
Who do we inform about a data breach
We will inform all persons and organisations affected by the data breach. We will inform the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) whenever Personally Identifiable Information is involved.