Remerge Vulnerability Disclosure Policy

Welcome! We are glad that you are interested in the way we handle security vulnerability cases. This page aims to address the following concerns:

• What this policy covers
• Guidelines on reporting
• How you can report a security vulnerability case to us
• Legal compliance

Part 1: Introduction

Before you proceed with reporting, you must read the contents of this page carefully. Once you have read and understood our policy, you will have a better idea of our reporting process and how to submit a report to us.

Our team regularly reviews security issues and investigates cases, and takes security vulnerabilities seriously by collaborating with our partners.

Part 2: What this policy covers

This disclosure policy is valid only to assets that are owned, operated, or maintained by Remerge under the following conditions:

• The vulnerability has never been detected before nor have been reported by our internal team.
• The vulnerability is not caused simply by a high volume of reports that overwhelms a service
• The vulnerability is not exploitable, or if our services are not aligned with so-called ‘best practices’, such as missing security headers or TLS configuration weaknesses.

This policy applies to everyone, including both current and former Remerge staff, third party suppliers, partners, and general users of Remerge products and services.

BUG BOUNTY

Remerge will make an effort to recognize those who dedicate their time and effort to point out security vulnerabilities, in our own way, but we do not pay bug bounty.

Part 3: Guidelines on reporting

Your report must be based on genuine grounds and is intended to help us make our website a more secure place. As a security researcher, you must not:

• Access excessive amounts of data. For example, a small amount of data is enough to prove most vulnerability cases.
• Use methods and tools that are invasive or destructive.
• Violate the privacy of Remerge stakeholders (employees, clients, suppliers, partners, or contractors). For example, by sharing, distributing, and/or mishandling data retrieved from our systems or services.
• Modify data hosted on Remerge systems or services.
• Disrupt Remerge systems or services.
• Use methods like social engineering, phishing, or physical attack on Remerge staff or infrastructure.
• Disclose any vulnerabilities of Remerge to third parties or the general public, without confirming with Remerge if those vulnerabilities have been mitigated or rectified. However, you may inform a vulnerability to third parties that are directly affected by it. An example would be if the vulnerability is in a techstack belonging to a third party. In this case, details of the specific vulnerability related to Remerge must not be disclosed in such reports.
• Demand for monetary compensation in exchange for disclosure of any vulnerability found that is not covered by our bug bounty policy. This includes holding us or any party to ransom.

You must delete all data retrieved during your research once it is no longer required or within one month after the vulnerability issue is resolved, whichever comes first.

Part 4: How to report a security vulnerability

If you have discovered something that is an indication of a security vulnerability, please read the details explained above in Part 2 and 3 to understand the scope. Then you may write a report to us via email at security@remerge.io

Please include the following details in your report:

• The exact location/section of our website where you have identified the vulnerability
• The type of vulnerability, e.g. ‘API vulnerability’, and a short description of it.

In order for your report to be managed and assigned quickly, your report should provide proof of the vulnerability in a helpful, constructive, and objective way. This helps minimize the chances of generating duplicate reports or malicious exploitation of particular vulnerabilities. An example would be SQL injection.

NEXT STEPS

We aim to reply to you within 72 working hours of receiving your report via email. Our security team will triage your report and get in touch with you as soon as possible if further information is needed, whether the vulnerability is in or out of scope, or if the vulnerability has already been reported before. If remediation work is needed, it will be resolved internally by the relevant Remerge team. Regarding bug fixes and mitigations, we will prioritize them based on the impact severity and exploit complexity.

Your report might take some time to be assessed. You may follow up on the status of the process only when necessary; once every two weeks is sufficient. This is to ensure that our team can focus their efforts on investigating the report itself.

Once your report has been resolved or remediation work is required, our security team will inform you and ask you to review our solution and check if it addresses the vulnerability issue you have raised.

Part 5: Legal compliance

We have created this vulnerability disclosure policy in line with industry best practices. This policy does not afford you the right to act in any manner that goes against the law, or might cause Remerge to be in breach of its legal obligations, including but not limited to:

• The Computer Misuse Act (1990)
• The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
• The Copyright, Designs and Patents Act (1988)
• Privacy and Electronic Communications Regulations

Please inform yourself and comply with the data protection regulations and laws applicable to your region in relation to any relevant information mentioned in this document. Remerge will not take legal action against any reporter who is genuinely concerned and has good intentions in pointing out the security vulnerability on our service or system, in agreement with this disclosure policy. However, this does not give security researchers the right to reverse engineer our Intellectual Property, in which legal action can be taken.

Thank you for your interest in making the Internet a safer place.