Security

Responsible Disclosure Policy

We take the security of our systems very seriously. Responsible disclosure of vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We ask all researchers to:

• do their utmost to avoid privacy violations, degradation of user experience, disruption of production systems and destruction of data during security testing;
• conduct research only within the scope defined below;
• use the identified communication channels to communicate vulnerability information to us; and
• keep the vulnerability information you have discovered confidential between you and hosting.de until we have had 90 days to resolve the issue. If the issue affects a third-party library, including open source software, we will ask you to comply with their disclosure policy.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursuing or supporting legal action related to your research;
• Working with you to understand and resolve the issue quickly (including initial confirmation of your report within 92 hours of submission);
• Recognizing your contribution in our Security Researcher Hall of Fame in our office, if you are the first to report the issue and we make a code or configuration change based on the issue.

Scope

• Main website (hosting.fr)
• Partner system (secure.hosting.fr)
• Demo system (demo.hosting.fr)
• Webmail (webmail.hosting.fr)
• All services configurable via the partner system, including DNS servers

In the interest of the security of our users, our staff, the Internet in general and yourself as a security researcher, the following types of testing are excluded from scope:

• Results of physical testing such as access to offices (e.g., open doors, tailgating)
• Results derived primarily from social engineering (e.g., phishing)
• Results of applications or systems not listed in the “Scope” section
• UI and user interface bugs and spelling mistakes
• Network-level denial of service vulnerabilities (DoS/DDoS)

Items we do not wish to receive:

• Personally identifiable information (PII)
• Credit card holder data

How to report a security vulnerability?

If you think you have found a security vulnerability in one of our products or platforms, please send it to us by email at security@hosting.fr. Please include the following details in your report:

• Description of the location and potential impact of the vulnerability;
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots and compressed screenshots are all helpful to us).