Security policy

This policy covers our website and the online services we run ourselves. Systems we manage on behalf of clients may be subject to separate arrangements, so please contact us first in that case.

If you find a possible vulnerability, please report it as soon as you can via security@bonsaisoftware.nl. Encrypt any sensitive information where you can, and give us enough detail to reproduce the issue:

• A description of the vulnerability and its potential impact.
• The steps to reproduce it, along with the URLs or components involved.
• Any logs, screenshots or proof of concept.
• How we can reach you for follow-up questions.

So that research can be carried out responsibly, we ask the following of you:

• Give us a reasonable amount of time to fix the issue before you disclose it publicly.
• Avoid research that disrupts our services, damages data or harms the privacy of others.
• Do not use social engineering, physical attacks or automated stress or denial-of-service testing.
• Do not access, change or delete data that is not yours, and use only your own test accounts.

• We acknowledge your report within three working days.
• We keep you posted on our progress and on the fix.
• We will not take legal action against researchers who act in good faith in line with this policy.
• We are glad to credit you as the person who found it, if you would like us to.

We will usually not act on the following kinds of report:

• Missing best practices with no demonstrable impact, such as one absent header on its own.
• Reports drawn purely from automated scans, with no confirmed vulnerability.
• Vulnerabilities in third-party software over which we have no control.
• Spam, phishing or social engineering aimed at our staff.

The technical and organisational measures we apply include the following:

• Encrypted traffic over HTTPS with modern TLS, and security headers on our website.
• Access management based on the principle of least privilege.
• Separated environments and managed access to production systems.
• Regular updates to software and dependencies.

Please send security reports and any questions about this policy to security@bonsaisoftware.nl. For anything else, use info@bonsaisoftware.nl. A machine-readable version of our contact details is available at /.well-known/security.txt.