# Hinit.no Responsible Disclosure Policy

# Mutual Expectations
When working with us you can expect that we:
- Respond in a timely manner to your report
- Work to understand and validate your findings
- Recognize your contribution to improving our security 
- Acknowledge your finding on our Security Acknoledgements page if you are the first to report a unique vulnerability

# Scope
Only configuration managed by or systems operated and/or hosted by Hinderakers IKT-tjenester for use by Hinderakers IKT-tjenester are in scope.
We are using cloud services for many of our customer facing resources, these services will have their own
policy for security research and responsible disclosure and are not covered by this policy.
Please contact us via the contact form at https://www.hinit.no/kontakt-oss if you have any questions about scope.

# Submission of report
At a minimum, please include the following information with your initial submission:
- Vulnerability classification (Critical/High/Medium/Low)
- Short description
- Steps to reproduce (please be as detailed as possible; include screenshots if applicable)
- Asset/URL
- Date and time of your testing
- Preferred contact method (e.g. phone, email)
Please encrypt the report if possible using the public key listed in security.txt 

# Rewards
We currently do not offer a reward in the form of money or give-aways.  
We respect your work and the high integrity that leads to responsible disclosure and will offer a place
on our Acknowledgments page: https://www.hinit.no/security-acknowledgments.txt

# How to Contact us
Our official communication channel is via the contact form at https://www.hinit.no/kontakt-oss

# Ground Rules
To encourage  research and to avoid any confusion between legitimate research and malicious attack, 
we ask that you attempt, in good faith, to:
- Play by the rules, including this policy any other relevant agreements
- Promptly report any vulnerability you have discovered
- Avoid breaking the Confidentiality, Integrity or Availability of our systems and data
- Avoid violating the privacy of others
- Not engage in extortion.

# Safe Harbor
For responsible disclosure related to systems that are configured by or operated by Hinderakers IKT-tjenester we will
not take legal action against you.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against 
you and you have complied with this policy, we will take steps to make it known that your actions were conducted in 
compliance with this policy. 
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, 
please submit a report through one of our official channels before going any further.