Responsible Disclosure

At Chargetrip, we consider the security of our systems and data a top priority. But no matter how much effort we put into system security, there will be vulnerabilities. If you discover a vulnerability, we would like to know about it first so we can take steps to address the problem as quickly as possible.

Of course, your actions must not violate any law or disrupt or compromise any data that is not your own.

Found a security vulnerability?

Please do the following so we can address the vulnerability immediately.

  • E-mail your findings to Encrypt your findings using our PGP key to prevent critical information from falling into the wrong hands,
  • Please, do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
  • Please refrain from revealing the problem to others until it has been resolved,
  • Please, do not use attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties, and
  • Please provide sufficient information to reproduce the problem so we can resolve it as quickly as possible. Usually, the affected system's IP address or URL and a description are sufficient. However, complex vulnerabilities may require further explanation.

Our commitment to vulnerability disclosure

  • We will respond to your report within ten business days with our evaluation of the information and an expected resolution date,
  • If you follow the instructions above, we won't take legal action against you in response to your reported findings,
  • We will handle your report with strict confidentiality and will keep your personal details private,
  • We will keep you informed of the progress towards resolving the problem,
  • We will credit you as the discoverer of the vulnerability in any potential public statement (unless you desire otherwise), and
  • As a token of our gratitude, we will offer a reward for every reported and validated security issue. Our security officer will determine the reward amount based on the leak's severity and the report's quality. The minimum reward will be a €25 pre-paid Visa or MasterCard. All rewards will be paid using pre-paid credit cards; please know there are no exceptions to how we pay potential rewards.

This policy is effective as of the 1st of August 2022. This policy is not a competition but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Chargetrip reserves the right to change this policy at any time.

Please note that we cannot issue rewards to individuals on sanctions lists or those in countries on EU sanctions lists.

Chargetrip Data Controller
Chargetrip B.V.