Responsible Disclosure Policy

Overview

At Delio, we consider the security of our systems a top priority. However, no technology is perfect and Delio believes that working with skilled security researchers across the globe is very important in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we appreciate your help in disclosing it to us in a responsible manner. We welcome working with you to resolve the issue promptly.

 

Delio will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond to, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. Delio reserves all of its legal rights in the event of any non-compliance.

 

As thanks for your help, we offer a reward for every report of a security problem that is not known to us. We determine the value of the reward on the basis of the seriousness of the breach and the quality of the report.

Reporting

Share the details of any suspected vulnerabilities with the Delio Security Team by filing a report. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following information:

  • Vulnerable URL – the endpoint where the vulnerability occurs;

  • Vulnerable Parameter – if applicable, the parameter where the vulnerability occurs;

  • Vulnerability Type – the type of the vulnerability;

  • Steps to Reproduce – step-by-step information on how to reproduce the issue;

  • Screenshots or Video – a demonstration of the attack; and

  • Attack Scenario – an example attack scenario may help demonstrate the risk and get your issue resolved faster.

Reports that carry an acceptable risk but demonstrate a valid security-related behaviour will be closed as informative. Submissions that don’t present a security risk, are false positives, or are out of scope will be closed as N/A.

 

Identical reports will be marked as “Duplicate[s]” of the original submission; the original report can be marked as (but not limited) to “Triaged”, “N/A”, or “Informative.”


While we currently do not have a formal vulnerability reporting system in place at this time, please reach out to security@deliogroup.com to report any critical issues you may discover. Please encrypt any sensitive data with our PGP key.

Disclosure policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

  • Provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

  • Submissions may be closed if a researcher is non-responsive to requests for information after 14 days.

Exclusions

In no event are you permitted to access, download or modify data residing in any other Account, or one that is not registered to you. While researching, we’d like to ask you to refrain from:

 

  • Executing or attempting to execute any “Denial of Service” attack.

  • Actions that affect the integrity or availability of program targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all use of automated tools.

  • Social engineering (including phishing) of Delio staff or contractors

  • Any physical attempts against Delio property or data centres

  • Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.

  • Testing in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages.

  • Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction.

  • Testing third-party applications or websites or services that integrate with or link to the Service.

Our commitment

 

We ask that you do not share or publicise an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Delio security team and associated development organisations will use reasonable efforts to:

 

  • Acknowledge receipt of your vulnerability report in a timely manner

  • Provide an estimated time frame for addressing the vulnerability report

  • Notify you when the vulnerability is fixed

 

As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report.