About us
Red Force
How We Operate
Life at Draken
Contact Us

Report a vulnerability

This expanded program is intended to give security researchers terms and conditions for conducting vulnerability discovery activities directed at publicly accessible Draken information systems.

Overview

Maintaining the security of our networks is a high priority at Draken. Recognizing that the broader security research community regularly makes valuable contributions to the security of the Internet, Draken believes that a close relationship with this community will also improve our security. As a result, if you have information about a vulnerability, we want to hear from you! Any information submitted to the Draken under this program will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or in the applications of our vendors. Please review program terms and conditions carefully. Before participating in the VDP, conducting any testing of Draken networks prior to submitting a report, you must agree to abide by these terms and conditions. Failure to abide by the terms and conditions will result in the loss of being considered a security researcher under the program.

Scope

Publicly accessible information systems and web properties, controlled by Draken.

How to Submit a Report

Please provide a detailed summary of the vulnerability including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

By clicking “Submit Report”, you are indicating that you have read, understand, and agree to the terms and conditions of the program for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to publicly accessible Draken information systems, and that you consent to having the contents of the communication and follow-up communications stored on a HackerOne or Draken controlled systems.

Guidelines

Draken will deal in good faith with security researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these terms and conditions:

  • Your activities are limited exclusively to –
    • (1) Testing, through remote means, to detect a vulnerability or identify an indicator related to a vulnerability; and
    • (2) Sharing information solely with Draken or receiving information from Draken about a vulnerability or an indicator related to a vulnerability.
  • You will do no harm and will not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
  • You will avoid intentionally or negligently accessing the content of any communications, data, or information transiting or stored on a Draken information system or systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists and can be evidenced as such. An information system is set of information resources for collecting, processing, maintaining, using, sharing, disseminating of information.
  • You will not exfiltrate any data under any circumstances. • You will not intentionally or negligently compromise the privacy or safety of Draken personnel, or any third parties.
  • You will not intentionally or negligently compromise the intellectual property or other commercial or financial interests of any Draken personnel or entities, or any third parties.
  • You will not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written authorization from Draken.
  • You will not disclose to any individual or group of individuals any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written authorisation from Draken.
  • If during your research you are inadvertently exposed to information that the public is not authorized to access, you will effectively and permanently erase all identified information in your possession as directed by Draken and immediately report to Draken that you have done so.
  • You will not conduct denial of service testing.
  • You will not conduct physical testing (e.g. office access, open doors, tailgating) or social engineering, including spear phishing, concerning Draken Europe personnel or contractors.
  • You will not submit a high-volume of low-quality reports. • If at any point you are uncertain whether to continue testing, please engage with our team.

What You Can Expect From Us

We take every disclosure seriously. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate all reported vulnerabilities. Draken remains committed to coordinating with the security researcher transparently and promptly. This includes taking the following actions:

  • Within five business days, Draken will acknowledge receipt of your report. Draken’s security team will investigate the report and may contact you for further information.
  • When practicable and authorized, Draken will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, while remediation of the vulnerability is under way.

Legal

This policy does not grant authorization, permission, or otherwise allow express or implied access to Draken information systems to any individual, group of individuals, consortium, partnership, or any other business or legal entity. However, if a security researcher working in accordance with the terms and conditions of this VDP program discloses a vulnerability with Draken’s express written consent, then: (1) Draken will, in the exercise of its authorities, take the following steps to: (1) not initiate or recommend any law enforcement action or civil lawsuits related to such activities against that researcher, and (2) Inform the pertinent law enforcement agencies or civil plaintiffs that the researchers activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of the program unless Draken can evidence that the researchers activities were not carried out pursuant to and in compliance with the terms and conditions of the program, in which case clause (1) above will not apply and Draken shall be entitled to take remedial legal action.

You must otherwise comply with all applicable laws including English law in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the program or the law. If you engage in any activities that are inconsistent with the terms and conditions of the program or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Draken entity (e.g., government departments or agencies; private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-Draken entity may independently determine whether to pursue legal action or remedies related to such activities. Draken may modify the terms and conditions or terminate the program at any time.

Cookie settings