Responsible Disclosure Policy

At Castor, the security of our systems and the safety of your data are core characteristics of our company. We put a lot of effort into securing our websites and systems, but there is always room for improvement.

If you believe you have found a (potential) vulnerability in any of our products or on one of our domains, please inform us so we can take all necessary actions and precautions to mitigate the issue. We are always open to cooperate with you to better protect our users, partners, data, and systems, and strive to resolve any vulnerability problem as quickly as possible.We would like to ask you to:

  • Email your findings with a technical description of the concern or vulnerability to security@castoredc.com. If possible use the public PGP key listed below.
  • Please provide all information necessary to reproduce the problem so we can fix it as soon as possible. This includes, but is not limited to, the date/time of discovery, the affected URL’s, versions of tools used, etc.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Refrain from sharing information about the issue with others until it is solved and erase all confidential data obtained through the leak directly afterwards.
  • Refrain from including sensitive information, e.g. patient information, in any screenshots or other attachments you provide to us. If it is essential for reproducing the issue, please let us know in your initial contact and we will arrange for a secure way to exchange this information.

What we will do:

  • We will respond to your report as soon as possible but not later than 2 workdays with an assessment of the problem and the expected date for a solution within 5 workdays.
  • We will treat your report confidentially and your personal details will not be shared with third parties without your permission unless this is necessary to meet our legal obligations. Reporting using a pseudonym is possible as well.
  • We will keep you informed about the progress of solving the problem.
  • If you wish, we will include your name as discoverer in our communications about the problem.
  • If you have complied with the above conditions, we will not take legal actions against you.
  • As a thank you for your help, we can decide to offer you a reward for your notification based on the severity of the leak and the quality of the notification.

This Responsible Disclosure Policy may be updated from time to time. You can always find the latest version on our website.

This policy applies to the following products and domains:

  • Castor EDC (*.castoredc.com)
  • Castor SMS (*.castorsms.com)
  • MyConsent (*.myconsent.nl)

 

Public GPG key:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBFsWaMgBEAClEj27+X7vL4CGwdVTVwR6CZPeR2+qopEHckt4soCdRUGMiZyS

z+97pwsX1/O8s9ghsmoF+0mQcxfjdQFpdZbHdBgXsLLwO87tqoqPGXaj0uyB0Bwu

hQVSTbwXAGnsiHMqkv4aqZ6PNJFbIzVGLppaHbF2u336oE37rQq43gM5Q2fSxH/x

tvMVxYuZt3b3o1XyYg6DkoqA24Pn/HHiAy+OYxqczgGAUL5qK/1apNQI4vfXvfFv

hgLlrru+HjHhXF52hnhoX3JoKet2929u/aK7Nt9u7pfwQ1FhxI7d0Rw1GuAvmRSQ

jq7nzYwdpPcFmP/e4mPGFs4djXIRoU49J36n7Aal+rm2KSLYqvCKOjXmzhxfsBSc

KztUQlwSBtkO7pRbhDCO6pIYKGL0zsH+dC/OOPZSmUWe01AOBVFWuvXDHeHtGbhV

A7hQitGYzNUBVNHtzNjeCSWp8ffXf8J4atobg5zbdWgVHrdKNuU9CpbcO4nJsLel

HLUWIXinB3iDxbz0O9/96TqWPpfE/NNNy1aoePLN7iIuK26ln9DSx0PNHZxit4+w

657eBGg0lc5zwA4uJhp+NPdEY9Sh9YeLbpd9aaP4xAKl/MhonBIPX+rEr+K+fwh7

IslZIoVyefMNL/3AsSi8NKYVo/UubwwFZiuvm0VbbDysV5Ctt4Ap3w64dQARAQAB

tChDYXN0b3IgU2VjdXJpdHkgPHNlY3VyaXR5QGNhc3RvcmVkYy5jb20+iQJOBBMB

CAA4FiEEv6DqsvN/BEDHp+vyP79uyFbosDYFAlsWaMgCGwMFCwkIBwIGFQoJCAsC

BBYCAwECHgECF4AACgkQP79uyFbosDZ5LA//ek2h9o68lgPVeEuVMW+ZrmRUnnNw

kL2YcBOQV+3rLDP8uFTRhMLghpctrl9UCqfS8dtopysMBg8qFGkwZnxBAVMleJOh

vsioSQMLkeEgdK2TIKUoJ49hYamGRbJnWlWPaWXIunin6tT17aRPU/RMk2CyR9Ae

BJ8k1viXQYr8DZr5+9Z3ni17FlGZ+/OqNR7ooPDBN/vGtCJtk9rdi4z+xTpbc/KE

GhWWLh7a7H2TX1wGB5HbOdhEkY/bzXCrSAXVmltKaG3LkuWNHxY5i3V5slfNJX+i

thF373DJXVbYs1t8naoGYZQFAoU5zIsfjGriVJ2EWnoAuwuit8G7AzTKpX46okKY

653/X93BCUHhcKYdN3u2eFxZR1pnc6KSzJmvJzwgMbr/MhtvJus8ejUfA+Od9CX+

IGXqUlkiiFi81yOFtRocvJAhE9G4WekeClpigKByNWkl26yp3rRDhZWcePPW3aVs

Jfc7KUnGsGVj2eXQfo5C0j0PT0RicJhxhCSONVIu6XQBuPwWwfA2qvTAbLk0QZKo

I4cgqrdS0T6h7UYPjkkrJ4w8rgO6yc8xsj3CyA//iNusPypghMatFQ/PDzxSIKdy

e1BwWcFdEszNnzo6tdgT+s3ijbculbln4EN17gslgkNQIbqXV41WMtASYp0iyDxQ

Y32ccpUq+3jBKsGJAjMEEAEIAB0WIQRb2F7XMpQ9m4mVC0vT+gNwBhqd6gUCWxbB

kwAKCRDT+gNwBhqd6qG9D/9fJzrEzkdU0VOrA8q2YxSSM02suQO4wvOBGX5idbyZ

agV6QqwVY+KA1KWbkWCUcAKLjkcfYLjS2rwW6r8KrXBYXPsxoG2dh0mRJJA6dM2F

n508rsGGudGHzJkt2mdIE/AyhPy4bwgLbNKsTVOvlPUlHHYAXTsLXSLb20Polpby

4Jm2ZSEYwMhVpQp3qOfsZTDbB7qgT646/dapPYzaUuKmF5pWJYfiJweyVuvNlsn1

Z7bQBYXxiaWr7GACQ4LCV012hX9Kz3dN9U9oqLvpObVu2YQiLvOtlRTPiV7VFznO

/Lluyp7PBHraY8xJzGjIffOduXSquysMrd/TT21LSQ1m1SBL8S5gkzaAO7sHekvW

lHsl7K/CbKDc+KsSHRnA0TqyhSrx17DKozp1YcR91kFAwmSi6rcRXb2OYvUSHOxX

LgPF4uViV3WuOdOvjn6whAgw/9lod7eKwhkwyNj6a6FIzA99jUze93ljYyZrh8Ut

D8rEzRfZhUVsfaLQFtPzVwdiq4MrMsn41UU9X3q4YcOYmFipDJ+yNbX0P70gWnN3

mo1SdaWGJ2xIRBghmUX4VkYB1POVU+vUKxZv2hGnbGcoKyHMUV+d/0ksR5BhWghi

7gAhsFSMs2B9zWoF8ZhAk5JrxNQ1g4WunYjUo3cDLTt0pDJNGcz5xj8cLYjN1x6i

yrkCDQRbFmjIARAAu87onFGis3uUYH6VFF6GwNbqUn+0CLNHyvA0INkOqoE9gGAv

iffKWix7Ze9EOr38lF1qPi8ZyTvtTyBmeTNGGpJ1+VLZjjbls3EOLfUBaEREMfX7

j6x9fAvasdSOVLaHgFheP0HD2M5zAB3lSuBS/m+u05xqVVABMitr+qzVMiWmD5U/

xLKVn2WzILTFmTe0rUx6c3jug91tWtC5MyWDVXWUFkpba1EgN0TcJ+tzCIwkX3R5

ytRBjGD5L93KeZiCXkH2gopm1NlQbCNSGlX6iKwbzIoXEUa8/wACCnL58b78x+qG

SMkHwEotk+47qpGTZckS87t1B+wY96FP1tPZ+JJ09zjNjgGoVfDJSqsWSDUIYc3J

Hm0OnksdrDfzkg6KXOO4rd1J+BPzienEXbbsC0GTX3WsKF9pm+uqDD0eWNVXigKj

12IdJvHlnEd/uw79v0fyEEpE2Ux4refCTU8l7gW/5GoxowoyTjzPO7bbTwk9k3qk

0qkf9qyF83xR5zt1NTVRC6z1YjXp405dDReziTyrWwoayRwoDWMDjgexs69nEuOh

e9aIssCsYzmdhe9A8HuNGDKsMPqrXRtANxBzLASpk1evir27OEUtduP0hNxs18RN

47n8V+HAV6i1U9hnOx/Fg9HxLTsBYO/0xnMttVlmAJNxFIZ/HHo3RXV2nG0AEQEA

AYkCNgQYAQgAIBYhBL+g6rLzfwRAx6fr8j+/bshW6LA2BQJbFmjIAhsMAAoJED+/

bshW6LA2niQP/296Y2XUVXoH2rhTnKISKgBp7HVfT/vEskESDug+7tWOXj+820s4

cB6+iEya8/mGrOIIzj1TkNgXR//FSlzaogvHy7ePzgADLUUWQarLWaxN5s5FMy3O

dIPEnzQa2aAZwEyJHxBQhtZoP7RIW7zd44vx6XSo0+yubuwnPDvLPUXNA2ligEA8

3eKvVwP+z3RVn28fPyBj+U4tvSzAmMCCY6KAjORww5/ragBhO4o5gHJJsI/TU74n

j3vyVo8jzT8+NUAokuzv1wwFQOE88t1pLktSlCwGz30asCq7DqZoqfgsH1RZ3wtX

NytLYKSe0kN4RRna1QqF5whUsmNfCxIF6oQubffAJKwXYFs5xjjc5/vP4j+Bs8FW

MalQ6dY4QIpV5PfKXjKODQdHHk3J1dF/E6dS5aqawQTRxa863qmSKwKTh4XXewVb

f/+fRtDc2JzTJwXhPtrikLP8fGx95YjpoLB2whuqBhhBbeFTfk4ddX9oqjovpIhs

z8BklNnpGsfBBwcx3dEOyJjfTRelVM5s2SNEVfmky2ymSR7x+q3MNANZVXZSbIiO

p3MA3uaSDeKVpEOWc019PfbYKoL9SzUBpriatA5AhYB1UaidLYi4KwVy1hgB6PSv

NwJ0eQ/MloAzkyOfYSgu5Gh2ZLlBTUSLTFmAk3vHgEovQwlraymIQ4d4

=yc3/

—–END PGP PUBLIC KEY BLOCK—–

 

Fingerprint:

BFA0EAB2F37F0440C7A7EBF23FBF6EC856E8B036