We provide a security.txt file for structured security contact information. You may also use email, via firstname.lastname@example.org addresse, but please remember that email is unencrypted by default and should not contain confidential or security-related information.
If you believe this site has a security vulnerability, we would be very happy to hear from you, provided that you follow the terms of our disclosure process:
- The disclosure must be made following the contact procedure set out above.
- The disclosure may be made anonymously.
- The disclosure you make to us should relate directly to this site or to the email service associated with it.
- The disclosure must relate to a service in our control, rather than to a matter which is the responsibility of a third party providing a service to us.
- The disclosure must not be released to the public without our prior consent.
- Abusive or threatening language, harassment, impersonation, or any other kind of criminal activity, will be reported to the relevant authorities and pursued to the full extent of the law.
Automated penetration testing or unauthorised attempts to gain access to our site will be treated by us as a deliberate attack and be subject to legal action.
- The disclosure must relate to a matter set out below and specifically not to matters such as the exact configuration of our current security headers or to recently announced zero-day vulnerabilities:
- Information leakage, or leakage of personal data
- Unauthorised access at either user or root level
- Code injection
- Remote code execution
When a potential security issue is reported privately in accordance with these terms, we will check the issue and respond within one working week if you have provided valid contact details.
We will not take legal action against anyone who reports a security concern to us privately, in accordance with this policy, and without having undertaken intrusive testing. We are not currently able to offer ‘bug bounties’ or similar cash rewards, but, with your consent, we would be happy to publish an acknowledgement on this site to express our gratitude.
Thanks and acknowledgements
CSIRT DOCAPOSTE would like to thank the following testers, researchers, and developers:
- SLCC LA POSTE