SMSEagle Responsible Disclosure Policy

At Proximus Sp. z o.o. (owner of SMSEagle brand), we consider the security of our systems and our products, of utmost importance. We use a Secure Development Lifecycle process to integrate security into its products from design, through development and release. However, vulnerabilities sometimes escape detection or new exploits are released after the product is on the market.

If you have found such a weakness, we would like to hear about it as soon as possible so that we can take appropriate measures as quickly as possible. We investigate all received vulnerability reports and implement the best course of action  to protect our customers.

If you are a security researcher and have discovered a security vulnerability in our products, we appreciate your help in disclosing it to us responsibly. Proximus will not take legal action against responsible reporters who voluntarily and in good faith report a vulnerability to us and follow our processes.

We ask that you to comply with the following Responsible Disclosure Guidelines:

  • E-mail your findings as quickly as possible to security(at)smseagle.eu. Our PGP key is available below.
  • Do not abuse the vulnerability; for example, by downloading, editing, or deleting data that does not belong to you.
  • Do not share the problem with others until it has been resolved.
  • Do not use attacks on physical security, social engineering, or hacking tools, such as vulnerability scanners.
  • Give adequate information for the problem to be reproduced so that we can resolve it as quickly as possible.
  • Allow us to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue, to ensure that Proximus has developed and tested a patch and made it available to licensed customers at the time of disclosure.

What we promise:

  • We will promptly respond to your report within 3 business days.
  • Work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together.
  • We will handle your report confidentially, and will not share your personal information with third parties without your permission.
  • We will keep you informed of the progress of the solution to the problem.
  • Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated.
  • Publicly acknowledge your responsible disclosure (if you wish credit for such disclosure).
  • As a token of our gratitude, we may offer a reward for the report of a security problem that was not yet known to us. The amount of the reward is determined based on the severity of the leak and the quality of the report. Whether we grant you the reward is our individual and indisputable decision. We don’t offer gratitudes for website-related findings.

    We strive to resolve all problems as quickly as possible, to keep all involved parties informed and we would like to be involved in any publication about the problem once it is resolved.

—–BEGIN PGP PUBLIC KEY BLOCK—–

mDMEZjiINhYJKwYBBAHaRw8BAQdAsgX2t/BsUvGJYe/6K3Dp1PvA/hr0kVkvutqF
DHKUxcO0LVNNU0VhZ2xlIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHNtc2VhZ2xl
LmV1PoiZBBMWCgBBFiEElKVX0UISwmVJkQdNob6WMsGDtLYFAmY4iDYCGwMFCQWj
vGoFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQob6WMsGDtLaY6AEAg7a9
XuMid7KaB2gkCWDq5aqJe8pbK50w6qaRxx/JalwBANO2Pq/qv5UZ00thNw2+h62E
IV6VfncNyn4p5Lmm5nwFuDgEZjiINhIKKwYBBAGXVQEFAQEHQJT0tWYA/jleMBd7
L6eJ49O0r3DbGy/Zm6rEdPrntd90AwEIB4h+BBgWCgAmFiEElKVX0UISwmVJkQdN
ob6WMsGDtLYFAmY4iDYCGwwFCQWjvGoACgkQob6WMsGDtLZWlgD/Q8B7a3fX/0Oc
xujv/rWdCR/8MfTPCz9FBoStDuaoxZYA/1gEdsLcoioCA5rEK+WVxwgIBzE4RL94
7Ym+Re2xmiAE
=0UZs
—–END PGP PUBLIC KEY BLOCK—–