Code of conduct
At Catawiki, we consider the security of our systems a top priority. When developing and providing our services, security has a key role. Will you help us improve the security and reliability of our systems?
Code of conduct for notifying security leaks
No matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can take appropriate steps to address it as quickly as possible. Therefore we would like to ask you to help us better protect our users and our systems. We make use of the services of Zerocopter, a third party platform on which you can leave a notification for us. To avoid misuse by third parties or any vulnerability, we would like you to observe the code of conduct as described below when detecting a vulnerability and when leaving your notification. Code of conduct for responsible disclosure If you have found a vulnerability, we kindly ask you to:
- submit your finding(s) on Zerocopter;
- not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying (third party) data;
- not reveal the problem to others until it has been resolved and Catawiki agrees on its disclosure;
- never publicise any personal data that you have retrieved and delete all such information retrieved through the vulnerability;
- not make any changes to the systems;
- not use attacks on physical security, social engineering, distributed denial of service (DoS and DDoS), spam or applications of third parties;
- provide sufficient information to reproduce the problem so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient but complex vulnerabilities may require further explanation.
We promise you that:
- we will respond to your notification within five (5) working days with our evaluation of the report and an expected resolution date;
- if you have followed the instructions above, we will not take any legal action against you in regard to the notification;
- we will treat your notification confidentially and we will not pass on your personal details to third parties without your permission (unless so required under a statutory obligation or by a court order);
- we will keep you informed of the progress towards resolving the problem.
In the event you have not observed the above code of conduct, Catawiki reserves the right to take steps against you at a later date.
Note: please do not use the Zerocopter platform for any questions or complaints related to the services of Catawiki or user material on the platform. If you have any questions or complaints unrelated to security vulnerability of our systems, please contact our Customer Support. This code of conduct for notifying vulnerabilities in security at Catawiki is subject to Dutch law