At Ultimum, we consider the security of our systems to be very important. Despite the care we take for the security of our systems, there may still be a weak spot.
If you have found a weak spot in one of our systems, we would like to hear about it so that we can take measures as quickly as possible. We would like to work with you to better protect our customers and our systems.
We ask you to:
Please email your findings to RD@ultimum.nl ;
Not to abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak or to view, delete or modify third-party data;
Not to share the issue with others until it is resolved and to delete all confidential data obtained through the leak immediately after the leak is closed;
Not to use social engineering, distributed denial of service, spam, third party applications or attacks on physical security;
Provide enough information to reproduce the problem so we can fix it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice. It doesnโt hurt to supplement this with steps to reproduce it and/or screenshots to illustrate the problem.
What we promise:
We will respond to you within three days with our assessment of your report and an expected date for a resolution;
If you have complied with the above conditions, we will not take any legal action against you regarding the report;
We will treat your report confidentially and will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
We will keep you informed about the progress of the problem solving;
In reporting the reported problem, we will, if you so wish, mention your name as the discoverer;
For reports of problems unknown to us, we give a reward. The size of that reward is determined by the severity of the leak and the quality of the report. The reward can consist of goodies, one or more gifts and/or a sum of money, at our discretion.
Exceptions and points of attention:
The rewards are not given for reporting issues on third-party sites and systems and issues already reported.
This is not an invitation to scan our site extensively; that would cause us inconvenience and we will therefore actively prevent it.
(D)DOS, physical security and social engineering are excluded from these provisions.
The following types of vulnerabilities have already been reported and triaged; we will therefore not take any further action on them. Reports of these reports will be closed and declared unfounded:
Host Header Injection
WordPress User Enumeration
Google Maps API Key Exposure
Exposed wp-admin on some of ultimum’s subdomains
Missing SPF/DMARC
Ultimum considers the following vulnerabilities as ineligible vulnerabilities under this program. These issues are closed as not applicable:
Distributed Denial of Service
Content spoofing
Social Engineering, including phishing
Unconfirmed reports from automated vulnerability scanners
Disclosure of server or software numbers version
Generic examples of Host header attacks without evidence of the ability to target a remote victim
Reports related to permitted password strength
SSL Vulnerabilities without a working PoC of the impact
Theoretical sub-domain takeovers with no supporting evidence
Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text, missing rate limits, bruteforcing without demonstrating impact, etc.
Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
False reports, or reports lacking evidence of a vulnerability
Clickjacking / UI Redressing without a risk
Non-state changing CSRF Vulnerabilities
Tabnabbing
We aim to resolve all issues as quickly as possible and would like to be involved in any publication about the issue after it has been resolved.