Coordinated Vulnerability Disclosure Policy

Montr

At Montr, we take the security of our systems and data very seriously. We appreciate the assistance of security researchers and ethical hackers who contribute to the safety of our services by responsibly disclosing vulnerabilities. This document outlines how we handle such reports and what we expect from researchers who discover vulnerabilities in our systems.

1. Guidelines for Reporters

If you discover a vulnerability in one of our systems or services, we ask you to:
• Report it immediately and confidentially via contact@montr.nl.
• Not cause any harm or exploit the vulnerability, including copying, modifying, or deleting data.
• Not disclose the vulnerability publicly before we have had the opportunity to resolve the issue.
• Avoid any actions that may affect the availability or integrity of our systems, such as DDoS attacks, social engineering, or physical intrusion.
• Use legitimate testing methods and refrain from using automated scanning tools that could disrupt our services.

2. What We Promise

If you report a vulnerability following the guidelines above, we promise to:
• Acknowledge receipt of your report within 1 business day.
• Provide a substantive response within a reasonable timeframe, including an expected resolution timeline.
• Work together to resolve the issue as quickly as possible and keep you informed of progress.
• Not take legal action against reporters who adhere to this policy.
• (Optional) Offer a reward or recognition for valuable discoveries, depending on the severity and impact of the vulnerability.

3. Exceptions

This policy does not apply to vulnerabilities in:
• Third-party services that we use but do not manage.
• Theoretical vulnerabilities without practical impact.
• Reports concerning outdated software without evidence of exploitation.

4. Disclosure and Collaboration

We strive for a swift resolution of vulnerabilities and welcome collaboration with researchers. In mutual agreement, a report may be publicly disclosed once the issue has been resolved.

5. Contact

Vulnerabilities can be reported via:

📧 contact@montr.nl
🔒 If possible, use PGP encryption for sensitive information.