Responsible Disclosure Statement

 
We at finleap connect are committed to providing the most secure service possible. This includes being assessed by well-known and trusted legal entities like external security assessor companies or banking regulation authorities. finleap connect takes care of the professional handling of reported, identified problems and issues.

Guidelines for responsible disclosure

  • When investigating a problem or issue resulting in a vulnerability, please, only ever target your own accounts and data. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to finleap connect. Do not violate the privacy of our users and partners.
  • Please use secure channels to report security issues. See details about this below.
  • Keep any information about identified weaknesses and exploitable vulnerabilities confidential between yourself and finleap connect.
  • Provide a valid attack scenario.
  • Please provide sufficient evidence (e. g. short proof of concept).
  • Only proper responsible disclosure will result in attribution and reward. See details about this below.
  • Please provide all information in English, German or French so that we are able to process them.

Attribution and rewards

Identifying problems and issues such as security vulnerabilities is of high value for us and we are therefore committed to providing rewards for reporting such vulnerabilities. However, please note that we are not legally obligated to do so.

Attribution and rewards depend on factors such as:

  • Severity – Impact of a vulnerability
  • Time – Whether you are the first person to report this vulnerability
  • Ethics – Whether you complied with our guidelines

The problems and issues in conjunction with the following constraints are not considered for attribution and rewards:

  • Any intended attempt to destroy finleap connect live data
  • Any intended attempt at disruption of active finleap connect services
  • Social Engineering Methods (e. g. phishing, spear phishing, baiting)

Scope of the responsible disclosure statement

The finleap connect ‚responsible disclosure statement‘ applies exclusively to services operated internally by finleap connect. This includes all topics related to security which are important or relevant to the operation of finleap connect products and services listed here.

Please note that third party software, for example, that is responsible for www.connect.finleap.com, is not subject to the responsible disclosure statement. Thus vulnerabilities or bugs within the finleap connect primary website  are not subject to it. We would much prefer if you could help us identify issues within the products and services operated internally by finleap connect.

What happens after you contacted finleap connect?

  • Our security team will report back to you within two working days with a confirmation of submission.
  • We will start analyses on the reported problem or issue.
  • We will communicate back to you for further inquiry or confirmation on identification of open problem or issue.

After fixing the vulnerability:

  • You may receive a reward.
  • Your contribution may be acknowledged in our hall of fame (we will respect your privacy here and ask you for permission for everything we publish beforehand).
  • You will be allowed to publish your findings.

How to securely communicate with finleap connect

Please send mails to responsibledisclosure-connect@finleap.com. We urge you to communicate securely with us. If you are unsure how to do so, write to us without disclosing any details and we will establish a secure channel first.