FleetLink by Atlas Copco

Beta
Coordinated Vulnerability Disclosure Policy

Vulnerabilities that pose a risk to the FleetLink platform and/or its users can be reported to us.
Examples include vulnerabilities that enable login forms to be bypassed or provide unauthorised access to databases containing personal information.

Not every defect in a system constitutes a vulnerability. In general, the following defects do not result in a potential security breach and we therefore kindly request that you do not report such vulnerabilities to us:
  • Defects that do not affect the availability, integrity or confidentiality of data.
  • The opportunity to use cross-site scripting on a static website or a website that does not process any sensitive (user) data.
  • The availability of technical information such as version information, ip addresses and usernames. Exceptions are made when this information can directly and demonstrably be abused, such as software versions with known vulnerabilities, users with default credentials, IP addresses that lead to system access.
  • The lack of HTTP security headers as used by mechanisms such as Cross-Origin Resource Sharing (CORS), unless this lack of a security header demonstrably results in a security problem.
  • Security issues that lack a realistic exploitation scenario, only disclose non-sensitive or low-risk information, depend on phishing or extensive user interaction, are considered low-impact and do not qualify for recognition or rewards.
If you have any doubts about whether the defect you have found constitutes one of the above exceptions, then you can of course still report the defect to us. We will subsequently determine whether the defect constitutes a vulnerability and take appropriate follow-up action.

Please note that decisions regarding a reported vulnerability are final and not up for discussion. Repeated communication, whether requests for updates or otherwise, disrupts the CVD process.

How do you submit CVDs?

Please take the following steps:
  • Contact us via e-mail at j.vanderknaap@dacbcs.com (PGP key)
  • Please include as many details as possible, including steps to reproduce the problem.
  • Make sure the e-mail address you're contact us with, accepts replies, so we can contact you for more information.
Please also:
  • Contact us as soon as possible
  • Do not share any information about the security problem with others until you hear from us that it has been resolved.
  • Handle the knowledge of the security problem responsibly, for example, by performing no further actions involving the defect other than those that are necessary to demonstrate the security problem.
What must you not do?

You must never perform the following actions while researching a vulnerability:
  • Introduce malware into the system.
  • Copy, edit or delete data in the system.
  • Make changes to the system.
  • Repeatedly access the system or share access to the system with others.
  • Perform brute-force attacks to gain access to a system.
  • Perform denial-of-service attacks or social engineering.
Principles of our CVD policy
  • If you submit your report in accordance with the procedure, then there will be no grounds for legal consequences in relation to your report. We will handle your report in confidence and we will not share your personal details with third parties without your permission unless we are compelled to do so by law or by a court ruling.
  • We will only specify your name as the discoverer of the vulnerability in question if you give permission for us to do so.
  • We will confirm receipt of the report within two working days and we will subsequently send an assessment of your report within four working days. We will also give you progress updates regarding the resolution of the problem.
  • Upon resolution of the problem, we will consult with you to determine whether and in what way to publish details of the problem and its resolution.
  • We kindly ask reporters to respect our decision process.