Legal

If you notice a vulnerability in one of our systems, we ask you to contact us. We appreciate careful reporting according to the conditions below and are happy to cooperate so we can take action as soon as possible.

We ask you to adhere to the following conditions:

• E-mail your findings to hello@aquadome.ai. We would like to get in touch with you to (safely) exchange necessary details. Usually the IP address, domain name or URL of the affected system and a description of the vulnerability is sufficient; for more complex issues we may need additional information.
• Do not abuse the problem or share it with others until it is resolved.
• Delete any confidential data obtained immediately, or at the latest after the leak has been plugged.
• Do not use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.

If you have complied with the above conditions, we will not take legal action against you regarding the report.

This responsible disclosure policy applies exclusively to:

• www.aquadome.ai — our public marketing site
• app.aquadome.ai — the Aquadome application
• Infrastructure and services operated by Aquadome BV that directly support these properties

Further processing takes place as follows:

• As soon as possible, but at the latest within four working days, we will respond to your report. If possible, we will give our assessment and an expected date for a solution. We will keep you informed about progress.
• We strive to solve all problems as soon as possible and would like to be involved in any publication about the problem after it has been solved.
• We will treat your report confidentially and will not share your personal information with third parties without your permission, unless this is necessary to comply with a legal obligation.

When investigating a vulnerability in one of our systems, please take into account the proportionality of the attack. You do not need to prove that a large (D)DoS attack on one of our services would take us offline — we know that.

This is not an invitation to actively scan our networks to discover weak spots. Brute-force attacks, (D)DoS, and social engineering fall outside the scope of this policy.

Do not perform (D)DoS attacks.

Do not test rate limits on forms. The disruption these tests cause is worse than any possible discovery of rate-limit vulnerabilities.

Reports based on the following findings or scenarios are excluded from this responsible disclosure policy:

• Findings related to SPF, DKIM, and DMARC records, or absence of DNSSEC.
• Absence of HTTP security headers.
• CSRF on forms that can be accessed anonymously (without a session).
• Brute-force, (D)DoS, and rate-limit related findings.
• Clickjacking and related vulnerabilities.
• Reports of unsafe SSL/TLS protocols and related misconfigurations.
• Possibly outdated server or application versions (from external parties) without proof of vulnerability and proof of exploitation.
• Version exposure (unless you deliver a proof of concept of a working exploit).
• Disclosure of known public files or directories, or non-sensitive information.
• Reports from automated tools and scans.

Do not submit reports of these excluded findings. These are probably known and accepted risks or previously reported.

As a thank you for your help, we may offer a reward for reporting a previously unknown security issue that fully conforms to this policy. We determine the size of the reward based on the severity and quality of the report.

If the issue was previously reported, or is a low or accepted risk, the report does not qualify for a reward.

We will not reward reports from persons living in a country listed on EU or UN sanction lists.

This responsible disclosure policy is based on responsibledisclosure.nl and the NCSC's Coordinated Vulnerability Disclosure policy guideline. For our broader security posture, see Security.