Responsible disclosure

We’re dedicated to ensuring a secure digital environment for all our customers, visitors, and colleagues. If you think you’ve encountered a possible security issue, we would appreciate it if you notify us.

Since launching our responsible disclosure policy in 2012, we’ve learned that not all reported issues need to be investigated. If you’re in doubt about whether something is worth reporting, please see our article on “Common pitfalls when following a responsible disclosure policy.”

Contact

Still have an issue to report? Please email abuse@schubergphilis.com. We prefer to receive encrypted email. You can encrypt your e-mail by using our PGP public key, available at https://keybase.io/schubergphilis. You can also have an encrypted chat with us here.

Please do not send sensitive information via unencrypted channels or social media, such as Twitter or Facebook.

Be sure to let us know if you prefer to remain anonymous or get public credit when you report the issue.

Rules of engagement

If you think you’ve identified a vulnerability, we’d also very much appreciate it if you:

  • Don’t exploit your finding.
  • Share the information with just us, not other parties.
  • Give us time to assess the situation and respond within a reasonable timeframe.

Anonymity or public credit

If you report an issue, by default you will remain anonymous.

However, if you prefer to get public credit for identifying the issue, that’s possible too. In that case, let us know that you would like your name or alias to be listed with details about the vulnerability when we publish and/or forward it.

Sometimes due to the sensitive nature of our work or some customer contracts, we are unable to make the full details of the vulnerability you identified public. In that case, we’ll thank and credit you and/or publish an article that in more general terms acknowledges your valued input, which you can read at schubergphilis.com/en/stories. Unless you object to it, we’ll also include in our hall of fame a general description of the vulnerability and credit the finding to you or “an anonymous researcher" in our hall of fame page.

Bounty

We like to give security researchers a token of appreciation for the time they’ve spent helping improve our infrastructure. For your vulnerability finding, please let us know which of the following bounties you would like:

  • Get an Amazon digital e-gift card
  • A donation to NewTechKids
  • A bottle of champagne.