Responsible Disclosure Policy

Last updated 10th of February 2025

Responsible Disclosure Policy

At Sonderplan (https://www.sonderplan.com), we value the security and privacy of our customers and the integrity of our platform. We appreciate the efforts of the security research community in helping us identify and remediate vulnerabilities. This policy outlines our approach to receiving and addressing vulnerability reports in a coordinated and responsible manner.

1. Scope

This policy covers security vulnerabilities in:

  • The Sonderplan web application and APIs (sonderplan.com and any subdomains)
  • Mobile and desktop clients distributed by Sonderplan
  • Backend services and infrastructure we own and operate
  • Open-source libraries and frameworks packaged and distributed by Sonderplan

Excluded from scope:

  • Third-party systems, integrations, or services not owned or controlled by Sonderplan
  • Physical security assessments of offices or facilities

2. Reporting a Vulnerability

If you believe you have discovered a security vulnerability in our systems, please email us at [email protected] with the following information:

  • Description: A detailed description of the issue, including affected components and potential impact.
  • Steps to Reproduce: Clear, step-by-step instructions or a proof-of-concept demonstrating the vulnerability.
  • Environment: URLs, versions, or configurations where you discovered the issue (e.g., production vs. staging).
  • Contact Information: How we can reach you for follow-up questions or clarifications.

Sonderplan will not initiate legal action against researchers who:

  • Conduct testing in good faith to identify and report vulnerabilities under this policy
  • Do not violate user privacy, degrade the performance of our systems, or destroy data
  • Follow the steps outlined in this policy for responsible disclosure

However, any security testing beyond the scope or that could harm our customers or infrastructure is not covered by this safe harbor.

4. Response and Remediation Process

Upon receiving a report, we will:

  • Acknowledge Receipt: Within three (3) business days, we will confirm receipt of your report.
  • Initial Assessment: We will validate the issue and determine severity.
  • Ongoing Updates: We will provide periodic updates on our progress.
  • Remediation: Work to fix the vulnerability in a timely manner.
  • Public Disclosure: With your consent, we will credit you in a public security advisory once the issue is resolved. You may choose to remain anonymous.

5. Recognition and Rewards

While at this time we do not offer a formal bounty program, we recognize and appreciate significant contributions. Researchers whose findings are confirmed will receive:

  • Public acknowledgment (unless anonymity is requested)
  • Sonderplan merchandise
  • A letter of appreciation

6. Confidentiality

Please keep all details of the vulnerability confidential until after remediation and publication of our advisory.

7. Contact Information

Email: [email protected]

Thank you for helping us improve the security of Sonderplan.