Silverfin

Responsible Disclosure Policy

Silverfin's Responsible Disclosure Policy, updated on 21 June 2023, invites security researchers to confidentially report suspected vulnerabilities affecting their information, systems, or services via email, while strictly prohibiting unauthorized access, data modification, social engineering, malware distribution, DoS attacks, and other illegal activities to protect customers and maintain security.

Responsible Disclosure Policy

Last updated: 21 June 2023

Our Program

At Silverfin, we are committed to ensuring the security of our information, systems, and services and value the role of security researchers in helping us mitigate cybersecurity risk.

If you believe you have discovered a suspected cyber threat or security issue that affects the confidentiality, integrity, or availability of Silverfin’s information, systems, or services (“vulnerability”), please submit a report to our team via one of the methods below.

For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss, or confirm the details of any suspected security issues.

What's Not Allowed

While we encourage security research on our products and services, the following types of research are strictly prohibited:

  • Accessing or attempting to access accounts or information you are not authorised to
  • Any attempt to modify or destroy information
  • Sending or attempting to send unsolicited or unauthorised email or other type of message
  • Conducting social engineering (including phishing) of Silverfin employees, contractors, customers, or any other related party
  • Posting, transmitting, uploading, linking to, sending, or storing malware that could impact our services, products, or customers
  • Exfiltration, disclosure, or use of any proprietary or confidential information or data of Silverfin (including customer data) under any circumstances
  • Clickjacking
  • Weak or insecure SSL ciphers and certificates
  • Any attempts of a Denial of Service (DoS)
  • Any activity or attempt to gain unauthorised access to Silverfin software or systems in violation of law.

Silverfin does not waive any rights or claims with respect to such activities.

Reporting a Security Issue

You can responsibly disclose suspected vulnerabilities to the Silverfin Team by emailing:

bugbounty@silverfin.com

To assist us in investigating your report, we recommend you follow the structure:

  • Affected product or service, including affected URL(s)
  • Your name and contact information (if you do not wish to provide your personal information, you may contact us anonymously, or by using a pseudonym)
  • Date, time, and time zone of when the suspected vulnerability was discovered
  • IP address used when suspected vulnerability was discovered
  • Steps to reproduce the vulnerability

Next Steps

Upon submitting your disclosure, you will receive confirmation that we’ve received it within 5 business days.

We will use the disclosure information you provide to enhance the security of our systems. We may also use the information in notifications to regulatory bodies, to comply with laws, and assist government or law enforcement agencies.

Privacy

If you have provided your personal information, we may contact you for more information to assist us with investigating your disclosure.

For more information about how we handle your personal information, you can refer to our privacy policy: https://www.silverfin.com/privacy.

As Silverfin is a Belgian company, you are also protected by the Belgian Act on the Protection of Whistleblowers.

Recognition

Silverfin does not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities through the responsible disclosure program.

However, we are very grateful for any submissions and are happy to write LinkedIn recommendations or even invite you to our private bug bounty program with Intigriti to monetise any future research.