Responsible Disclosure Policy

Last updated 10th of February 2025

Responsible Disclosure Policy

At Sonderplan (https://www.sonderplan.com), we value the security and privacy of our customers and the integrity of our platform. Sonderplan takes the security of its platform seriously. This policy outlines the process for reporting security vulnerabilities. This policy outlines our approach to receiving and addressing vulnerability reports in a coordinated and responsible manner.

1. Scope

This policy covers security vulnerabilities in:

  • The Sonderplan web application and APIs (sonderplan.com and any subdomains)
  • Mobile and desktop clients distributed by Sonderplan
  • Backend services and infrastructure we own and operate
  • Open-source libraries and frameworks packaged and distributed by Sonderplan

The following are considered out of scope:

  • Missing security headers without a demonstrated exploit
  • Self-XSS or issues requiring user self-compromise
  • Clickjacking on non-sensitive pages
  • Rate limiting or brute force without proof of impact
  • Reports based solely on automated scanning tools
  • Issues requiring unrealistic user interaction
  • Best practice recommendations without a security impact

2. Reporting a Vulnerability

If you believe you have discovered a security vulnerability in our systems, please email us at [email protected] with the following information:

  • Description: A detailed description of the issue, including affected components and potential impact.
  • Steps to Reproduce: Clear, step-by-step instructions or a proof-of-concept demonstrating the vulnerability.
  • Environment: URLs, versions, or configurations where you discovered the issue (e.g., production vs. staging).
  • Contact Information: How we can reach you for follow-up questions or clarifications.

Sonderplan will not initiate legal action against researchers who:

  • Conduct testing in good faith to identify and report vulnerabilities under this policy
  • Do not violate user privacy, degrade the performance of our systems, or destroy data
  • Follow the steps outlined in this policy for responsible disclosure

Safe harbor applies only to activities that:

  • Strictly adhere to this policy
  • Avoid accessing, modifying, or exfiltrating data
  • Do not impact system availability or performance

4. Response and Remediation Process

Upon receiving a report, we will:

  • Acknowledge Receipt: Within three (3) business days, we will confirm receipt of your report.
  • Initial Assessment: We will validate the issue and determine severity.
  • Ongoing Updates: We will provide periodic updates on our progress.
  • Remediation: Work to fix the vulnerability in a timely manner.
  • Public Disclosure: With your consent, we will credit you in a public security advisory once the issue is resolved. You may choose to remain anonymous.

5. Recognition and Rewards

Sonderplan does not operate a bug bounty program and does not provide financial or material rewards for vulnerability reports.

At our discretion, we may acknowledge valid findings.

6. Confidentiality

Please keep all details of the vulnerability confidential until after remediation and publication of our advisory.

7. Contact Information

Email: [email protected]

Reports must be submitted via the contact method outlined in this policy. Reports submitted through other channels may not be reviewed.

Thank you for helping us improve the security of Sonderplan.