Menu Close
Language
Close navigation

Responsible Disclosure

Optimizing safety when it comes to the ICT systems is a top priority for Maximum. However, as such systems remain vulnerable, possible loopholes and weaknesses cannot be eliminated. 

Hence, we would love to hear from you if you have found a weakness in one of our ICT systems. We will handle the safety issues accordingly, and therefore we make use of the following policy: 

What we ask of you:

  • To email your findings to sysop@maximum.com. If possible, encrypt the email with the PGP-key of sysop@maximum.com. This will prevent the wrong people benefitting from the information.
  • To provide enough information to reproduce the safety issue, ensuring that Maximum can solve the problem quickly. More often than not, the IP-address or the URL of the ICT system and a description of the shortcoming(s) will be enough. However, when it is a more complex problem, an elaborate description could be necessary. 
  • To provide your contact details, either an email address or a phone number, so Maximum can contact you. 
  • To not share the information regarding the safety issue until it has been solved.
  • To act responsibly and accordingly by not executing more than necessary actions required for the identification of the safety issue. 

Please do report:

  • Persistent Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication
  • Circumvention of our framework's privacy and permission models
  • Remote Code Execution

Please do not report:

  • Username dictionairy attack
  • Self-XSS
  • Missing / loosely configured DNS SPF records
  • Social hacking
  • Publicly accessible login pages for cms/admin area
  • Security vulnerabilities in third-party applications (like Kerio) that are not patched in the latest version
  • Denial of Service Vulnerabilities
  • Missing HSTS header / Secure cookie flag (https on this site is not enabled in every part of the world)
  • Missing DNSSEC (we're working it)
  • Password reset email capture
  • Attacks requiring DNS takeover
  • Webmail accessible over non-secure connection
  • Missing CSP headers (we're working on it)
  • Missing Public Key Pinning headers
  • Mail relay server configuration issues

Whatever you do, please avoid the following actions:

  • Spreading or distributing malware. 
  • Copying, changing or deleting data in the system (an alternative would be making a directory listing of the system).
  • Changing the system.
  • Repeatedly acquiring access to the system or sharing the access with others. 
  • Making use of “bruteforcing” the access to the system.
  • Making use of a denial-of-service or social engineering.

What you can expect:

  • When a shortcoming in maximum.com is reported accordingly to the above stated terms and conditions, Maximum will not articulate any legal consequences to the notification. 
  • Maximum will process the report confidentially and no personal details without permission will be shared with third parties, unless this is a legal requirement. 
  • After consultation, Maximum can acknowledge you by publishing your name as the one who identified this particular safety issue.  
  • Within one working day, the system operator of maximum.com will send you a confirmation of receipt.
  • Within three working days, the system operator of maximum.com will send you an evaluation of the safety issue. This will include an estimation of the time that it will take to solve the problem. 
  • The system operator of maximum.com will keep you updated on the progress of solving the safety issue. 
  • The system operator of maximum.com will try to resolve the safety issue as soon as possible, within a maximum time period of 60 days. After consultation with Maximum, it can be decided if and how the resolved safety issue will be published. 
  • To thank you, a reward will be offered by Maximum. This reward will vary depending on the seriousness of the issue and the quality of the report. 

 

The public key for sending encrypted emails to sysop@maximum.com:

 

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFMQW5wBEAC3od6qsp7rB8FZRgR7SEZE1IY5h/Tru67xFaGAJObSht/mPcJ/
fUVfYmKY/I7ogPvSi2tQE+oSnIEjEFVxWRFFAhIx54cljT9JUNE6AIQsPgNOiQtW
PgyrrGz5gf1gJFbZ7hXNpF9J/r51UdLByV+RcsPEmCR5BOWw5vtpg4ntR/QBoQe3
TuaTVwg6s4yY53qBPlThEWN20tMPEd4OBlCXx1kZAsnKveKff/8RTDPnKZ8TWhLW
XsAmHFHT7S6+vUElV2AgFU5YVsZ+qTj5z8sF1r2o2IS5jRQeXcQoBMw4/aMZIS+0
XP57oBAjVMue+MPA0kPg0R3QLhE34cZHXX+1BMmNQ5hJ2wIVQ6Xtj9uxTM/r6MPy
+9D/v71DbS8+TenX+bpSHe4EpB0n99nPC75+OVm4uQD6Rahn1pCFeG/fb0wRzyKg
XQKnTjOZtCOec4UTWf8Wt3PuYTGuPWRcje97u48bLpjmh+hG+ysSEqBvS/c25oH/
yzHHHi88XruPQ9Rk14hpy5BR6ZWLYGSnsM/yzYp2s7L8nNqFLCVjtlWTcfu0Skew
WL8Kz0+6GOKUcCj7hMczPw//FrKvw7JXZGyjYfHNVMWgdFnyi0cJN5sqFmqIdQTD
a1yISC/FmnNxYomOOySqCICENccquP0BChNbwMxEAFzAYPzfQj2X1C5M7QARAQAB
tCtTeXN0ZW0gT3BlcmF0b3IgTWF4aW11bSA8c3lzb3BAbWF4aW11bS5jb20+iQI9
BBMBCgAnBQJTEFucAhsDBQkLSIaABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ
EKlC1W3rpkyTTAUP/1uO/DXZrO9GbIPi8mVH+KVRE2+q5/sio6d6gPKM/cbgiSV4
5K75yQrqZMQFASsOoxahDOAaHm+dxHmagQNChnNuz3KFz5KZn2cTzkPAH2N3/iVb
cCE30NmpVgd+ICLwqEqiuepUaZxVgzNJpfP2ZIJQTQTSlM5pPW3jAhRRqD4S2u0n
tKA61GH4uMDnavZVTWvdrdGHfKKxeGOGh6vqY/JC0is/KBFXge7dPsUOOXJWV/XL
Cewxe0GZhjxCZ8fu5CbWyCA13+75spFS3uxEqbT0I5AG+5FvJtxM0ytfmUBqfygM
/NgqfJcGwrI4MdTpTIu9mgOX9ER4q4NXuJvb/aozgu4B6tcctp/mdYuWNsG6xNGn
SpOORwuXf7RvJdBVlakr9cHCVvDnf4h6ZaMaP5Pa4rpF8F916s+0GZTQOcFvI004
T5aApykjDATflxVwNlvZsrz6RjbvD9pgW1LuP75OGruwPoN72IGwgkjwRjoEzYgg
QMy8G6r2+Ei9rsYJbyMu10/sf6ix3U5duAh9gYXsRbTNgZ4olh8VgUT1F6KvPcZl
XEqvY3gJhNB3I0IHwz1SuZ6eENwYZK9W6yboFOSNBv5JlJJt2i2uYwewX1FtWRwf
jEbkf0//9AZLa3yaaF4LLGNzBOmHgXfJqayyrO571kVMpAgeZxA6/IBdU6P1uQIN
BFMQW5wBEADKdEyJlbofjYA8NCr7MYkE4wUhIPtTDbaRoqjoKGMw8fbBV/+IOODz
RPXRHEJ9N9gzGV5BZyalVDTcgrUkQEVBynnQTp6dIkDQ5ChQmchCGUD2orS/jSin
2sdQxkDzXGVcAXXgvGHdwCZFq+aigB389P+ac5Krk+CTDNkds2KMNOUyYu8tgqBQ
PzJmwCYFP9l2/wz+n2KTWBVS1gQzrdtkt8zF9kLeNjblOmGDztu0y4O+XB8iIDY8
EyxhvzG1ipeqKXK2bB9FI+YviaaJLM95ZB1fFidi63qyizk7mv+aAG6Yt4hH4rq6
V7Xupvd5yP7hIlcaZR5ncFXGpMRjY4iGJOVbsQ9Q6Mn/yVTcs4yLaPbf8gtjdjbY
NqmzKxDqw0GoTRxEAvnKhWDL5au+6v0h29oBVdk8NQTRf3gJ3K7Wk+uU6Zr6sVzO
kb7tVTfP6Rs7LnF4n+kDYSb4wcbFkD4TdRYJxnxMQvF3brsEj7OvgyMVW2zW92U4
eHsB4og9Ah5aYuJH2xXyKFtemWivb8y1llQH8qpTY2OazKpWc1pZlFMdp8hWxE/j
uvPiMGzO/tTzu+KS/iDYjmShCzg4bNAM2YDMN9QwIbNgnVp3gH9OzqfXRjgRD5H0
nsZeMKG4foBRa8dY3/0PswgBFnVGeylBUjm2Ge1TwSDgExAnhkR+5wARAQABiQIl
BBgBCgAPBQJTEFucAhsMBQkLSIaAAAoJEKlC1W3rpkyTV6oQAJPRHGOITIIDvCQc
Up6eNeOwqCXQGyFtoB94otf0mWg1Knmr7mujy11s/lE0n5yzNgB8Npyvt+SirAs/
MJgK5jAAgT3Xb/QfphIe6Axw7tdT0fDbJpRD8HDochJnesTbSDbXD0VRWowQhXTo
FAfnJsBHiaOoAc4q6zg+uLekTGOesEu+1UGz8m8phGMHR533grpqHCtQlAQfTbr7
dcFYO9AJF6+w8QEv4UCL/FvsQZ1qquK5NVLGrZBNsM2KKHF81wi2JqIWGZc2UAs8
XnPdFnH6ampSLVE24KmjdrNKE/nKcwxmwkI0Dvndl7rxNfrC/0HoYHvrhqMaycTE
VogOe9JKO1BJQa+vPQ7awV6xq/tYWDyldk8wwxEymtR7NBHMX2wh5RFV4LOd2BWe
hpnEUNltq4bs14TOGu3MsthmWUkvHn09aSnhnqnpY+UPe/zW6PpgQZq57d3RPaK0
Bm+1pR9+zBgDQ/9S/JHEXe/OLLgod+YSryspmszbvM8T73f/dhKsQmQEsM1PcBx4
92PZGaEA/lTv6mLao/6ksejiBVLWi48NVB90qv+BgFr8kFVUOVkY6wBaeeLf/Ki4
WLT1qEAMTGSK1sFfNa5Sn9emIInpHE6GlMQ5jcjQ6snXgJjwEeAlY8ZGF1yRMHDb
1Z8ChKg6wsJZpgx9CIQMlmijMiRk
=LiXY
-----END PGP PUBLIC KEY BLOCK-----

 

Business enquiries

Thank you for your interest in working with Maximum. Just fill in the blanks below and we'll get back to you within one working day. Or send an email to enquiries@maximum.com

Your information

Request

×

Close