Reporting security vulnerabilities

Our company ACTIVE24 is constantly evaluating the risk of potential attacks on our services and takes them into account for both development and maintenance of the services as well as immediate response. 
We are focusing a large amount of our tech team capacity to secure our services. We are aware that the security of our services is not a static endeavor, but an ongoing process of re-evaluation, development and improvement, where the quick response to discovered weaknesses is the key. For that reason we welcome any cooperation with security specialists and we reward responsible reports of any found or potentially exploitable vulnerability in our systems. Every reported vulnerability will be immediately checked and if it is confirmed, we will arrange its quick repair. If you encounter any security risk in ACTIVE24 systems, please, report it responsibly by the policy described below.
If you follow the policy below, ACTIVE24 pledges that there will be no legal action taken against you in regards to this vulnerability, if it's critical, and there will be financial reward for discovering it. 

Security Vulnerability Reporting Policy:

  • Discovered vulnerabilities are to be reported to csirt @ active24.cz
  • If at all possible, please encrypt the report with our PGP key.
  • As part of the report provide the following details:
    • Your name and contact information (including your PGP key for the possibility of encrypted response)
    • Detail of the vulnerability including description of how to reproduce it and prove along with the Proof of concept of possible misuse. 
  • Cooperate with us on the verification and reproduction of the vulnerability
  • Avoid invading privacy, interfering with stored data, or damaging services while searching for and testing vulnerabilities
  • Avoid access or modification of stored data that do not belong to you
  • Please, give us enough time to verify the reported vulnerability and make amendments before you publish or share any information about the vulnerability 
     

Please, expect our response within one or two working days from the initial report.