Responsible Disclosure Policy

Version May 2020

The information on this page is intended for security researchers who want to report a security vulnerability to Exact. If you are a customer and have a security related question, please contact customer support via the normal channels.

At Exact, we consider the security of our systems and products a top priority. But no matter how much effort we put into security, there can still be vulnerabilities.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us protect our clients and our systems.

Don’t use the Responsible Disclosure flow for

  • Product questions: Contact customer support
  • Complaints: Contact customer support
  • Fake/Phishing emails: Report via security [at] exact [dot] com
  • Potential data leaks: Report via security [at] exact [dot] com
  • Unavailable services

In case of vulnerabilities, please do the following

  • E-mail your findings to responsible-disclosure [at] exact [dot] com.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, deleting/modifying other people's data or interrupting/degrading of our service(s)
  • Do not reveal the problem to others until it has been resolved
  • Do not use attacks on physical security, social engineering, (distributed) denial of service, spam, applications of third parties, malware or hacking tools and vulnerability scanners
  • Do provide enough information, logs and screen shots to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

What we promise

  • If you have followed the instructions above, we will not take any legal action against you regarding the report
  • We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
  • We will try to resolve the security problem that you have reported as quickly as possible within 90 days
  • We will keep you informed of the progress towards resolving the problem
  • Once the problem has been resolved, we will decide in consultation with you whether and how details will be published
  • In the public information concerning the problem reported, we will give you recognitions as the discoverer of the problem with your prior approval

Thank you for your cooperation, we really appreciate the effort you put in improving the security of Exact!

EN Select your country