Responsible Disclosure Policy
The information on this page is intended for security researchers who want to report a security vulnerability to Exact. If you are a customer that has a security related question, please contact customer support through the normal channels.
At Exact, we consider the security of our systems and products a top priority. But no matter how much effort we put into security, there can still be vulnerabilities.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us protect our systems and products.
Don’t use the Responsible Disclosure flow for
- Product questions: Contact customer support
- Complaints: Contact customer support
- Unavailable services: Check https://status.exact.com/
- Report the following via security [at] exact [dot] com:
- Fake/Phishing emails
- Potential data leaks
- Security incidents
In case of vulnerabilities, please do the following
- E-mail your findings to responsible-disclosure [at] exact [dot] com.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, deleting/modifying other people's data or interrupting/degrading of our service(s)
- Do not reveal the problem to others until it has been resolved
- Do not use attacks on physical security, social engineering, (distributed) denial of service, spam, applications of third parties, malware or hacking tools and vulnerability scanners
- Provide enough information, logs and screen shots to reproduce the problem, so we will be able to address the vulnerability as quickly as possible. Usually the IP address(es) or the URL(s) of the affected system(s) and a description of the vulnerability will be sufficient. Complex vulnerabilities may require further explanation.
What we promise
- If you have followed the instructions above, we will not take any legal action against you regarding the report
- We will respond to your report within 5 business days with our evaluation of the report and follow up actions
- We will handle your report with strict confidentiality and will not pass on your personal details to third parties without your permission
- We will try to resolve the finding that you have reported as quickly as possible within 90 days
- We will keep you informed on the progress
- Once the finding has been resolved, we will decide in consultation with you whether and how details will be published
- In the public information concerning the reported finding, we will give you recognition as the discoverer with your prior approval
- We will offer a place in our Hall of Fame when a change is made based on your report
- We do not offer money or goodies for reports. The only exception is our Officient bug bounty program (more details can be found here)
Thank you for your cooperation, we really appreciate the effort you put into improving the security of Exact!
Hall of fame
We would like to thank the following people for their contribution:
- Ahmed Abbas
- Akshay Shelke
- Areeb Tahir
- Atharva Manoj Allewar
- codedunited
- Bram van Tiel
- Constantin Blach
- Durvesh Kolhe
- Gaurang Maheta
- Hamza Asif
- Harinder Singh(S1N6H)
- Huub van Rijn
- Jamie Zwart
- Jelle Ursem
- Keyur Maheta
- Koen Berkhout
- Maciej Grabiec
- Martin van Wingerden
- Max Raams
- Max Rozendaal
- Mehedi Hasan
- Muhammad Hammad
- Nikhil Rane
- Palyam Ajaykumar
- Patrick Hofman
- Praveen Kumar
- Priti Navale
- Ritik Singh
- Sagar Palkar
- Sagar Yadav
- Serge Semenov
- Shubham Sharma
- Siddharth Mahendra Zala
- Sohail Ahmed
- Swapnil Kothawade
- Victor Pasman
- Wout Rikkerink
- Wouter de Droog
- Yash Kushwah
- Yevheniia Liadska