Coordinated Vulnerability Disclosure

What do you do when you have found something?
Read more

At Macaw, we consider the security of our systems very important. Despite our care for the security of our systems, it is possible that there is a vulnerability present that we haven’t discovered ourselves.

If you discover a vulnerability in one of our systems, we would like to hear from you as soon as possible so that we can take steps to address it directly. We would like to work with you to better protect our clients and our systems.

How you can help us!

  • By sending an e-mail with your findings to
  • By not taking advantage of the vulnerability. For example, by downloading, viewing, deleting, or changing any data.
  • By not revealing the found vulnerability to others until it has been mitigated.
  • By deleting all confidential data obtained by the vulnerability, directly after mitigation.
  • By not using attacks on physical security, social engineering, Distributed Denial of Service, spam, or applications of third parties.
  • By providing us with sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but more complex vulnerabilities may require further explanation.

Our response

  • You will receive an acknowledgement of receipt of your report within one working day.
  • We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, we will not take any legal action against you regarding the report.
  • We will handle your report with strict confidentiality and will not pass on your personal details to third parties without your permission, unless it is necessary to do so to comply with a legal requirement. Reporting under a pseudonym is possible, of course.
  • We will keep you posted on the progress towards removing the vulnerability.
  • In the public information concerning the vulnerability reported, we will give your name as the discoverer of the vulnerability (unless you desire otherwise).
  • As a token of our gratitude for your assistance, we will reward you with a Macaw hoodie for every report of a vulnerability that was not yet known to us.

We strive to resolve all problems as quickly as possible, and we would like an active role in the ultimate publication on the problem after it is resolved.

This text is based on an example from Floor Terra.

Questions? Feel free to contact us.