Responsible Disclosure Policy

Version November 2021

The information on this page is intended for security researchers who want to report a security vulnerability to Exact. If you are a customer that has a security related question, please contact customer support through the normal channels.

At Exact, we consider the security of our systems and products a top priority. But no matter how much effort we put into security, there can still be vulnerabilities.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us protect our systems and products.

Don’t use the Responsible Disclosure flow for

  • Product questions: Contact customer support
  • Complaints: Contact customer support
  • Unavailable services: Check https://status.exact.com/
  • Report the following via security [at] exact [dot] com:
    • Fake/Phishing emails
    • Potential data leaks
    • Security incidents

In case of vulnerabilities, please do the following

  • E-mail your findings to responsible-disclosure [at] exact [dot] com.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, deleting/modifying other people's data or interrupting/degrading of our service(s)
  • Do not reveal the problem to others until it has been resolved
  • Do not use attacks on physical security, social engineering, (distributed) denial of service, spam, applications of third parties, malware or hacking tools and vulnerability scanners
  • Provide enough information, logs and screen shots to reproduce the problem, so we will be able to address the vulnerability as quickly as possible. Usually the IP address(es) or the URL(s)of the affected system(s) and a description of the vulnerability will be sufficient. Complex vulnerabilities may require further explanation.

What we promise

  • If you have followed the instructions above, we will not take any legal action against you regarding the report
  • We will respond to your report within 5 business days with our evaluation of the report and follow up actions
  • We will handle your report with strict confidentiality and will not pass on your personal details to third parties without your permission
  • We will try to resolve the findingthat you have reported as quickly as possible within 90 days
  • We will keep you informed on the progress
  • Once the finding has been resolved, we will decide in consultation with you whether and how details will be published
  • In the public information concerning the reported finding, we will give you recognition as the discoverer with your prior approval
  • We will offer a place in our Hall of Fame when a change is made based on your report
  • We do not offer money or goodies for reports.The only exception is our Officient bug bounty program (more details can be found here)

Thank you for your cooperation, we really appreciate the effort you put into improving the security of Exact!

Hall of Fame

We would like to thank the following people for their contribution:

EN Select your country