We know how much work goes into security research and penetration testing. Ethicontrol appreciates responsible disclosures that help us improve the security and resilience of our services.
Responsible Disclosure
If you believe you have found a security vulnerability affecting Ethicontrol, please report it responsibly and give us a reasonable opportunity to investigate and remediate the issue before making any public disclosure.
Please send security reports to:
security [at] ethicontrol.com
What to Include in Your Report
To help us assess and reproduce the issue, please include the following information:
| Information required | What to provide |
|---|---|
| Summary of the issue | A clear description of the suspected vulnerability |
| Affected asset | Domain, URL, endpoint, application, API, or system affected |
| Severity rating | Your rating from 1 to 5, where 1 is low and 5 is critical |
| Proof of concept | Clear steps, screenshots, video, request/response examples, or technical details showing how to reproduce the issue |
| Practical impact | Explanation of what an attacker could realistically achieve |
| Environment | Operating system name and version, browser name and version, and relevant tools used |
| Your contact details | Name, email, and preferred contact method |
Severity 5 should be reserved for critical impact, such as the ability to hijack, impersonate, or access another user’s account or data.
Safe Testing Rules
When conducting security research, please act responsibly and avoid any activity that could harm Ethicontrol, our customers, our users, or third parties.
| Do | Do not |
|---|---|
| Test only within the minimum scope necessary to verify the issue | Do not access, modify, delete, copy, or disclose data that does not belong to you |
| Provide a clear proof of concept | Do not perform denial-of-service, stress, load, or destructive testing |
| Stop testing once the vulnerability is confirmed | Do not use automated high-volume scanning without prior written approval |
| Report the issue promptly and confidentially | Do not publicly disclose the issue before we have investigated and addressed it |
| Use your own accounts and test data where possible | Do not conduct phishing, social engineering, spam, or physical attacks |
Common Non-Vulnerabilities
To avoid frustration, please note that the following findings are generally considered low-impact or non-qualifying unless you can demonstrate a clear, practical security impact.
| Finding type | Usually not considered a valid vulnerability unless practical impact is shown |
|---|---|
| Generic scanner output | Automated scan results without verified exploitability |
| Missing or imperfect security headers | For example, HSTS, CSP, X-Frame-Options, or similar findings without demonstrated impact |
| SPF, DKIM, or DMARC recommendations | Email configuration suggestions without a practical abuse scenario |
| Version disclosure | Server, framework, library, or technology version disclosure without a working exploit |
| Clickjacking | Clickjacking on pages that do not contain sensitive actions or data |
| Rate limiting observations | Missing or weak rate limits without practical abuse, bypass, or business impact |
| Self-XSS | Issues requiring a user to attack themselves |
| Logout CSRF | Logout-only CSRF without further security impact |
| Third-party issues | Findings affecting services, platforms, or infrastructure outside Ethicontrol’s control |
| Best-practice suggestions | General hardening recommendations without exploitability or material risk |
Rewards
Ethicontrol does not currently operate a public paid bug bounty program with guaranteed monetary rewards.
We are grateful to researchers who responsibly disclose valid security issues. For reports that are not common non-vulnerabilities, we may provide acknowledgement, recognition, swag, or, in rare cases, discretionary bounty money.
Any reward is entirely discretionary and depends on factors such as:
| Factor | Consideration |
|---|---|
| Validity | Whether the issue is confirmed and reproducible |
| Severity | The actual security impact and exploitability |
| Business impact | Whether customer data, system integrity, or service availability is affected |
| Originality | Whether the issue was previously known or already reported |
| Report quality | Clarity, completeness, and usefulness of the proof of concept |
| Responsible conduct | Compliance with this policy and safe testing rules |
No reward is guaranteed unless expressly agreed in writing by Ethicontrol in advance.
Our Commitment
We aim to review responsibly disclosed reports in good faith. Where a report is valid and relevant, we will investigate the issue, assess the impact, and take appropriate remediation steps.
We appreciate the contribution of independent researchers and the wider security community in helping keep Ethicontrol secure.