At Castor, the security of our systems and the safety of your data are core characteristics of our company. We put a lot of effort into securing our websites and systems, but there is always room for improvement.
If you believe you have found a (potential) vulnerability in any of our products or on one of our domains, please inform us so we can take all necessary actions and precautions to mitigate the issue. We are always open to cooperate with you to better protect our users, partners, data, and systems, and strive to resolve any vulnerability problem as quickly as possible.We would like to ask you to:
- Email your findings with a technical description of the concern or vulnerability to email@example.com. If possible use the public PGP key listed below.
- Please provide all information necessary to reproduce the problem so we can fix it as soon as possible. This includes, but is not limited to, the date/time of discovery, the affected URL’s, versions of tools used, etc.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Refrain from sharing information about the issue with others until it is solved and erase all confidential data obtained through the leak directly afterwards.
- Refrain from including sensitive information, e.g. patient information, in any screenshots or other attachments you provide to us. If it is essential for reproducing the issue, please let us know in your initial contact and we will arrange for a secure way to exchange this information.
What we will do:
- We will respond to your report as soon as possible but not later than 4 workdays with an assessment of the problem and the expected date for a solution within 10 workdays.
- We will treat your report confidentially and your personal details will not be shared with third parties without your permission unless this is necessary to meet our legal obligations. Reporting using a pseudonym is possible as well.
- We will keep you informed about the progress of solving the problem.
- If you wish, we will include your name as discoverer in our communications about the problem.
- If you have complied with the above conditions, we will not take legal actions against you.
- As a thank you for your help, we can decide to offer you a reward for your notification based on the severity of the leak and the quality of the notification. We only offer rewards to issues that were unknown to us at the moment of disclosure. In case multiple persons report the same issue we will only grant a reward to the first reporter.
This Responsible Disclosure Policy may be updated from time to time. You can always find the latest version on our website.
This policy applies to the following products and domains:
- Castor EDC (*.castoredc.com)
- Castor SMS (pentest.castorsms.com)
- MyConsent (*.myconsent.nl)
Excluded (sub-)domains are:
- support.castoredc.com (hosted by Zoho)
- support.castorsms.com (hosted by Zoho)
- customer-survey.castoredc.com (hosted by Zoho)
- careers.castoredc.com (hosted by Recruitee)
- email.castoredc.com (hosted by Customer.io)
- *.do.castoredc.com (out of scope)
- Injection attacks
- Cross-Site Scripting (XSS)
- Remote Code Execution (RCE)
- Cross-Site Request Forgery (CSRF)
- Broken Authentication
- Authorization Flaws / Privilege Escalation
- Directory Traversal
- Sensitive Information leaks or disclosure
Non qualifying vulnerabilities:
- Clickjacking on unauthenticated pages or on cases with no state-changing action
- Reports from automated tools or scans
- SPF/DKIM configurations set to softfail instead of reject
- Same Site Scripting / localhost DNS record.
- Forgot Password page brute force / DoS attacks
- Missing HTTP Public Key Pinning (HPKP)
- Host Header Injection
- Reporting older versions of any software without proof of concept or working exploit
- Content spoofing on 403 or 404 pages
- Missing session revocation on email or password reset
- Self XSS
- Hyperlink injection in email contents
Reports of the same vulnerability on multiple subdomains will always be handled as a single disclosure.
Public GPG key:
—–BEGIN PGP PUBLIC KEY BLOCK—–
—–END PGP PUBLIC KEY BLOCK—–