Responsible disclosure policy
Last updated: 21 June 2023
Our program
At Silverfin, we are committed to ensuring the security of our information, systems and services and value the role of security researchers in helping us mitigate cybersecurity risk.
If you believe you have discovered a suspected cyber threat or security issue that affects the confidentiality, integrity or availability of Silverfin’s information, systems or services (“vulnerability”), please submit a report to our team via one of the methods below.
For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.
If you believe you have discovered a suspected cyber threat or security issue that affects the confidentiality, integrity or availability of Silverfin’s information, systems or services (“vulnerability”), please submit a report to our team via one of the methods below.
For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.
What's not allowed
While we encourage security research on our products and services, the following types of research are strictly prohibited:
- Accessing or attempting to access accounts or information you are not authorised to
- Any attempt to modify or destroy information
- Sending or attempting to send unsolicited or unauthorised email or other type of message
- Conducting social engineering (including phishing) of Silverfin employees, contractors, customers or any other related party
- Posting, transmitting, uploading, linking to, sending or storing malware that could impact our services, products or customers
- Exfiltration, disclosure or use of any proprietary or confidential information or data of Silverfin (including customer data) under any circumstances
- Clickjacking
- Weak or insecure SSL ciphers and certificates
- Any attempts of a Denial of service (DoS)
- Any activity or attempt to gain unauthorised access to Silverfin software or systems in violation of law.
Reporting a security issue
You can responsibly disclose suspected vulnerabilities to the Silverfin Team by emailing
To assist us in investigating your report, we recommend you follow the structure:
- Affected product or service, including affected URL(s)
- Your name and contact information (if you do not wish to provide your personal information, you may contact us anonymously, or by using a pseudonym)
- Date, time and time zone of when the suspected vulnerability was discovered
- IP address used when suspected vulnerability was discovered
- Steps to reproduce the vulnerability
Next steps
Upon submitting your disclosure, you will receive confirmation that we’ve received it within 5 business days.
We will use the disclosure information you provide to enhance the security of our systems. We may also use the information in notifications to regulatory bodies, to comply with laws, and assist government or law enforcement agencies.
We will use the disclosure information you provide to enhance the security of our systems. We may also use the information in notifications to regulatory bodies, to comply with laws, and assist government or law enforcement agencies.
Privacy
If you have provided your personal information, we may contact you for more information to assist us with investigating your disclosure.
For more information about how we handle your personal information, you can refer to our privacy policy: https://www.silverfin.com/privacy.
As Silverfin is a Belgian company, you are also protected by the Belgian Act on the Protection of Whistleblowers.
Recognition
Silverfin does not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities through the responsible disclosure program.
However, we are very grateful for any submissions and are happy to write LinkedIn recommendations or even invite you to our private bug bounty program with Intigriti to monetise any future research.
However, we are very grateful for any submissions and are happy to write LinkedIn recommendations or even invite you to our private bug bounty program with Intigriti to monetise any future research.