Home ›  Legal ›  Responsible disclosure policy

Responsible Disclosure Policy

At Dragon1 Inc., we consider the security of our systems very important. Despite our concern for system security, there may still be a weak spot.

If you have found a weak spot in one of our systems, we would like to hear about it so that we can take measures as quickly as possible. We want to work together to better protect our users and systems.

Our Responsible Disclosure policy is NOT AN INVITATION to actively scan our corporate network extensively to discover naked spots. We monitor our company network. There is a good chance that a scan will be detected and that our CERT (Computer Emergency Response Team) will investigate the origin, potentially incurring unnecessary costs.

There is a chance that during your investigation, you will start execution according to the criminal process. If you comply with the conditions below, we will not take legal action against you regarding the report. The Public Prosecution Service in the Netherlands always has the right to decide whether you are prosecuted. The Public Prosecution Service has published this.

We ask you:

  • Email the weak spot as soon as possible to ciso@dragon1.com. Encrypt your next one with our PGP key https://www.dragon1.com/public_key.zip to prevent the information from falling into the wrong hands.
  • Not to abuse the weakness by, for example, downloading more data than is necessary to demonstrate the leak by changing the deletion of data and exercising extra restraint with personal data.
  • Not sharing the weakness with others until it is resolved. Not to use automated security attacks from third-party applications, social engineering, distributed denial-of-service, or spam.
  • Provide enough information to reproduce the weakness so that we can fix it as quickly as possible. When implemented, the IP address of the URL of the affected system, a description of the vulnerability, and the actions taken are sufficient; however, more complex vulnerabilities may require additional information.

What we promise:

  • We will respond to your report within three working days with our assessment of the report and a proposed solution.
  • We will handle your report and will not share your personal information with third parties without your permission unless necessary to reach an agreement.
  • We will inform you of the progress of fixing the weakness.
  • Anonymous or pseudonymous reporting is possible. It is good to know that we can not contact you about, for example, the next steps, the progress of closing the leak, or the publication of the next report.

Our policy is not to award rewards when reporting weak spots.

We strive to resolve all issues quickly and keep all parties informed. We are pleased to be involved in a publication about the vulnerability once it has been resolved.

Our policies are licensed under a Creative Commons Attribution 3.0 license. The policy is based on the example policy of Floor Terra (ResponsibleDisclosure.nl)

Next demos to watch

All Dragon1 (Software and EA Method) texts and visualizations on this website are originals and copyrighted material and are intellectual property of Dragon1 BV. This website is the official source for these materials. Copying, modifying, and/or using (parts of) this content in other media, or technology is prohibited, unless prior written consent is obtained. Any person, AI agent, or software reusing (parts) of Dragon1 material must show a clear, visible referral link to this website, dragon1.com.