Responsible Disclosure Policy

At Castor, the security of our systems and the safety of your data are core characteristics of our company. We put a lot of effort into securing our websites and systems, but there is always room for improvement.

If you believe you have found a (potential) vulnerability in any of our products or on one of our domains, please inform us so we can take all necessary actions and precautions to mitigate the issue. We are always open to cooperate with you to better protect our users, partners, data, and systems, and strive to resolve any vulnerability problem as quickly as possible.We would like to ask you to:

  • Email your findings with a technical description of the concern or vulnerability to responsible-disclosure@castoredc.com. If possible use the public PGP key listed below.
  • Please provide all information necessary to reproduce the problem so we can fix it as soon as possible. This includes, but is not limited to, the date/time of discovery, the affected URL’s, versions of tools used, etc.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Refrain from sharing information about the issue with others until it is solved and erase all confidential data obtained through the leak directly afterwards.
  • Refrain from including sensitive information, e.g. patient information, in any screenshots or other attachments you provide to us. If it is essential for reproducing the issue, please let us know in your initial contact and we will arrange for a secure way to exchange this information.

What we will do:

  • We will respond to your report as soon as possible but not later than 4 workdays with an assessment of the problem and the expected date for a solution within 10 workdays.
  • We will treat your report confidentially and your personal details will not be shared with third parties without your permission unless this is necessary to meet our legal obligations. Reporting using a pseudonym is possible as well.
  • We will keep you informed about the progress of solving the problem.
  • If you wish, we will include your name as discoverer in our communications about the problem.
  • If you have complied with the above conditions, we will not take legal actions against you.
  • As a thank you for your help, we can decide to offer you a reward for your notification based on the severity of the leak and the quality of the notification.

This Responsible Disclosure Policy may be updated from time to time. You can always find the latest version on our website.

This policy applies to the following products and domains:

  • Castor EDC (*.castoredc.com)
  • Castor SMS (*.castorsms.com)
  • MyConsent (*.myconsent.nl)

Excluded (sub-)domains are:

  • support.castoredc.com (hosted by Zoho)
  • support.castorsms.com (hosted by Zoho)
  • customer-survey.castoredc.com (hosted by Zoho)
  • careers.castoredc.com (hosted by Recruitee)

Qualifying Vulnerabilities:

  • Injection attacks
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE)
  • Cross-Site Request Forgery (CSRF)
  • Broken Authentication
  • Authorization Flaws / Privilege Escalation
  • Directory Traversal
  • Sensitive Information leaks or disclosure

Non qualifying vulnerabilities:

  • Clickjacking on unauthenticated pages or on cases with no state-changing action
  • Reports from automated tools or scans
  • SPF/DKIM configurations set to softfail instead of reject
  • Same Site Scripting / localhost DNS record.
  • Forgot Password page brute force / DoS attacks
  • Missing HTTP Public Key Pinning (HPKP)
  • Host Header Injection
  • Reporting older versions of any software without proof of concept or working exploit
  • Content spoofing on 403 or 404 pages
  • Missing session revocation on email or password reset
  • Self XSS

Reports of the same vulnerability on multiple subdomains will always be handled as a single disclosure.

Public GPG key:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBFtRmq4BEACbRs/MexXrcxzyaN59n/rqsc0DEx6SUvnAKXPXqxJ5VM8yekCa
DOZU4R7L9eTvk8eOh9ahM/XsyQesVGldDpIEzSjwBYwlDiObamOJC3b3oMOisnG9
WgPibvlOBzeCQ1NmFzthDBUTx9TebtXwCqEIhhedDslXMsZBBxtWj2mzJ4VRRyes
zd+bUpUCLCRM9scZeKoiY50pGLMERPAvlAJvTU1eMeVReY3Cx1/gvCAh0drlo46o
5GVjS31MybmUdqS49WcCBWcwaKsfPt70Zf0+UgO2JsyHBxW370W8E+yRwrWLSs1h
XamQleWBBQ4zQDUnc4jclMylkukKcJUhAIqyzl4pQJzzSJZWIMbfKM6GlScKrfO7
zhmBphnpBKMSiKCd3LK0u3j+a6ALs6G5FPof7HyLB7hiorqP7v0xbxkCsH9JDZxq
xF+HIDz+WSF+XtZxt13/CnYAGLEZpa1SZwHpLBuqB9FlCngDwiDsgUzoh8YXgxVJ
n+/tEh7MbuI1ylDtda09k00o9Qp+ErEEhIkjAUScarP06kHOlFCGNGrYcbFZ6XoW
Z2ZBeK3/pTo8e5LicbYklR+txMXX+blC5IywtGy857oJZwXA2TApu+UteAiJd5id
kN8EERkNKxYDFZazu5qkYKeksCX5pUdj4wqSDR97b80a9TKttkBMYzz0YQARAQAB
tENDYXN0b3IgUmVzcG9uc2libGUgRGlzY2xvc3VyZSA8cmVwb25zaWJsZS1kaXNj
bG9zdXJlQGNhc3RvcmVkYy5jb20+iQJOBBMBCAA4FiEE42qVRO2TtkNpilRj6jpq
B9aeYWIFAltRmq4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ6jpqB9ae
YWLmYg//QYHlIbT5vRTa5aqxyeTXG+WdDjOdprFamjMuf1WWoM7UUJYqN+z8MdAq
jsFYMcllKvqDMd7z+C87zyURGhbXd4lMNsO+tYOql5Thkp1G0fhLGSEBdLfvns6e
mSh8v8Lc0Pe1+H6K6JLj1QC5ZP+XSZFdIeP54DZYzt35HeA8S8rQKAXKZKFSOo5w
uem5pWZXR9OLa6AxjqI1cyKahVTqKhYOegw3FoQGHeZNwwgt2mLEVkZHg7rxtJCY
93261E9BynOnwouMEN3etyGG65xe7QWWMFxmwzqzeWatgYoRrS3RpPF0Jy7YbfVL
qDuJr9FON9swunYF2/QI0omM1cwpG2UWKInez+X22fMrufWGmyBndyDsVprWIdOY
MdotYZfUfmpftydxniUu7ODnjKDmAXhjxekPaj6Yqje/92/Bni8nOldntqVRJzlc
K5mHBHJ0IcIvwCT87fs5BmeyP/RX9kpaYCkYn95UWgXNjbnFqQjIS7TTKQt3uG3+
iFiL4P5oFQ9nx939X8ZgPPEpIDUS8HYu8dKFRSGh+sCK/YGxuhrvgOwfT40MqA6P
B29J+VKaDc40moMQHZsPZqRl0Ry6XgIequV512yDvIfs04Zz+lcxbbNfqbmkwXfS
WE3xodTX/2jD4f8UjjWHi7P0VzGicP2qbKlO9Q/QeZaX95AdRf65Ag0EW1GargEQ
ANzLq8uAeVTV1a7lC9CM5a0tq2C0g42xEEor01sAqRbI35xMTSrq3gq10Vg6QoaL
AC6NKFxScaaLtekroh3dI9KISMnhSc0F1kS64arzpNbVyimW6DjTtROLYDpUZVLZ
zeDbFXWM06blASFlVMade/Gj8h0fjZio2TfPA5JhxtDO++pgnAyEY8CfUoz3PaP6
wgYshAb/E5zlGj4Ikx1Ehj7FJv2PLIfLIlcaYUv3SQtDptX7qr3nvJGoOpU0exPr
U2DHECpdRcxqCOvVW7byM5hzatUeH9BlIlq804mMB4FKu8iMGgYaQcZKXzf2rnnN
Jspzh0JnbANKd07tyfAL9KsbQXMtUrh33UFHA6TEKQ4cbdfP/u1SQEaCEDmwY6BR
aBWHyuZtjQmUQtKCUEduApBrkEBkOrc2Cajn+27NKauGYsMLp39J1Spgu04RlE8J
89W4hrosy6A/3g9pUq8lpiBHG4b4APZdBLWqyjDk5O2DPF/VZZ7MA1aGaDsD8eYg
JmB1jBy/I9x7GfHonNwTmPYdY+pON7tuVwZYcowwm55EYK8Ujg9g/OeXOggUjfBH
svlcI/PsvNl2gaxPPcazetd9YhzLMQcTTwtyeVwX8wKfNSi2pv7wV18M5RK1IFW8
mLcq4FLdAsaYg3xY5ocd+zTK30nZqNelRSmxC2mbBJK5ABEBAAGJAjYEGAEIACAW
IQTjapVE7ZO2Q2mKVGPqOmoH1p5hYgUCW1GargIbDAAKCRDqOmoH1p5hYtEZEACF
6bF5i5Iyp8FsQzopOyRPCLmc4PAbudPQK0ji0xcw4iEvL5Ve0QzGAP7Mt7VwHHQ2
45vjagsAZaSimu3y5RR5OdIzX6UGXvQciZERbdWsm+qieJ5lK/zNnfeWdSWI0ook
4cqRVLuHwhchqs4EiRfVBPUoAMG0R5rS5pWRHDb99ICdsIyZhBvWA7aItEfu26OB
SkQW6S8+0Tc+ZsNjiNzXVORKJkaNJdMB93BOJ6qyZJMc7gpYKvzn3L04E5mTXCYO
f4xy8hNXcnGQvTkFLN1W2qO0nRRpxb/t9x8xjnvamla3/hUwnYzgUGqEMExmK0+j
U1UAtMVIN1FEEUgiA8wy0DeKyuRHqoMKcql3ZvaLi9563bTkDEeT833ItDp0S/fN
ES9TXbvTai8+dSQNHJWWuH+0CfcXiErtCLPKPcMPGMtTxgd4GDwtYzHNsqTisx7J
EIVt05RMfdrOWFqMusXMlks6fQSiApvOyvd8lQFp1Fz/ILlReR74TNj9HgRxOhIY
tDaCH3uHP+rAP7qs+ZxVHYsixA6s5v8IRC6xQipKXjHOT9V4r+LV3jecMmriWGEJ
yftuzbr28az5mee8Ob8Gcnfl8GePmOh7ngsoPD2z2rgHafQhDbSPOGK43y6dHpYv
BDxscKgl3A/5xHMsD3FyRz1JGinFux5Gf2Eel2P09g==
=Vt4Y
—–END PGP PUBLIC KEY BLOCK—–

 

Fingerprint:

E36A9544ED93B643698A5463EA3A6A07D69E6162