Contact

 

Responsible Disclosure Statement

We at finleap connect are committed to providing the most secure service possible. This includes being assessed by well-known and trusted legal entities like external security assessor companies or banking regulation authorities. finleap connect takes care of the professional handling of reported, identified problems and issues.

Guidelines for responsible disclosure

  • When investigating a problem or issue resulting in a vulnerability, please, only ever target your own accounts and data. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to finleap connect. Do not violate the privacy of our users and partners.
  • Please use secure channels to report security issues. See details about this below.
  • Keep any information about identified weaknesses and exploitable vulnerabilities confidential between yourself and finleap connect.
  • Provide a valid attack scenario.
  • Please provide sufficient evidence (e. g. short proof of concept).
  • Only proper responsible disclosure will result in attribution and reward. See details about this below.
  • Please provide all information in English, German or French so that we are able to process them.

Attribution and rewards

Identifying problems and issues such as security vulnerabilities is of high value for us and we are therefore committed to providing rewards for reporting such vulnerabilities. However, please note that we are not legally obligated to do so.

Attribution and rewards depend on factors such as:

  • Severity – Impact of a vulnerability
  • Time – Whether you are the first person to report this vulnerability
  • Ethics – Whether you complied with our guidelines

The problems and issues in conjunction with the following constraints are not considered for attribution and rewards:

  • Any intended attempt to destroy finleap connect live data
  • Any intended attempt at disruption of active finleap connect services
  • Social Engineering Methods (e. g. phishing, spear phishing, baiting)

Scope of the responsible disclosure statement

In Scope

The finleap connect ‚responsible disclosure statement‘ applies exclusively to services operated internally by finleap connect. This includes all topics related to security which are important or relevant to the operation of finleap connect products and services listed here.

Please note that third party software, for example, that is responsible for connect.finleap.com, is not subject to the responsible disclosure statement. Thus vulnerabilities or bugs within the finleap connect primary website  are not subject to it. We would much prefer if you could help us identify issues within the products and services operated internally by finleap connect.

Out of Scope

  • Any vulnerabilities in our websites, former or current e.g. figo.io, connect.finleap.com, finleap.com
  • Any vulnerabilities associated with 3rd party tools or services we may use e.g. WordPress, development platforms etc.

Any vulnerabilities that are out of scope are not subject to this policy and will not be rewarded.

What happens after you contacted finleap connect?

  • Our security team will report back to you within two working days with a confirmation of submission.
  • We will start analyses on the reported problem or issue.
  • We will communicate back to you for further inquiry or confirmation on identification of open problem or issue.

After fixing the vulnerability:

  • You may receive a reward.
  • Your contribution may be acknowledged in our hall of fame (we will respect your privacy here and ask you for permission for everything we publish beforehand).
  • You will be allowed to publish your findings.

How to securely communicate with finleap connect

Please send mails about in scope vulnerabilities only (see scope section above for what vulnerabilities to report) to  responsibledisclosure-connect@finleap.com.

Please do not use this email address to report out of scope vulnerabilities: i.e.

  • Any vulnerabilities in our websites, former or current e.g. figo.io, connect.finleap.com, finleap.com
  • Any vulnerabilities associated with 3rd party tools or services we may use e.g. WordPress, development platforms etc.

We urge you to communicate securely with us. If you are unsure how to do so, write to us without disclosing any details and we will establish a secure channel first.