Phone: +46 73 687 0060
Corporate id no: 556917-6091
We hope that developers and users share not only validated attacks or vulnerabilities, but also concerns and general comments on security aspects of our software. This will help us improve our documentation and/or our products, and we will of course give you credit if we follow your advice if you let us do that.
Although our license does not impose any restrictions on how you disclose security issues or attacks, we would appreciate if you do not immediately post them online or report them as issues at the public BitBucket software repository (although we understand the urge!).
Instead we hope that you contact us and give us a chance to discuss the findings with you to make sure that we fully understand them. We may also be able to suggest additional targets that you could investigate.
Keep in mind that other people are using our software or some modified version and they deserve a chance to update their systems or complete an election before you make your findings public.
We have first hand experience with finding serious flaws and attacks, we understand the amount of work involved, and we have an academic mindset, so we will make sure that you get the credit you deserve. Exactly how depends on the importance of the contribution and what you want, e.g., if you do research you may want to wait to post some things and publish a paper.
Issues that are not security critical should normally be reported in the issue system at the source code repository at BitBucket. However, if an issue is only a symptom of a larger problem, then we welcome an email where you outline your ideas and hope that you are open to discuss the matter to let us decide on what should be done.