Responsible Disclosure Policy

At the AbuseIO Foundation, the security of our systems and the privacy of our users are paramount. This policy provides clear guidelines for conducting research and reporting vulnerabilities in a responsible, coordinated manner.

1. Safe Harbor (Legal Protection)

AbuseIO considers ethical hacking research conducted in good faith and in compliance with this policy to be authorized conduct. We will not pursue civil action or initiate a complaint to law enforcement against researchers who comply with these guidelines. We consider research under this policy to be “authorized” under relevant computer misuse laws.

2. Prohibited Actions

The following actions are strictly prohibited and will result in immediate disqualification from the program and potential legal review:

  • Destructive Testing: (D)DoS attacks, heavy automated scanning, or any action that disrupts our infrastructure.
  • Privacy Violations: Attempting to access, modify, or delete data belonging to other users.
  • Social Engineering: Attacks targeting our staff, contractors, or community members.
  • Physical Security: Attacks against our offices or data centers.

3. Out-of-Scope Items (Rejected by Default)

To reduce “noise,” the following items are considered out-of-scope and will be rejected unless they are part of a larger, high-impact exploit:

  • Email/User Enumeration: Login or “forgot password” messages that reveal if an account exists.
  • Best Practices & Headers: Missing DNS records (SPF, DANE, DKIM) or missing HTTP security headers (HSTS, CSP, X-Frame-Options) without a functional PoC that shows an actual exploit.
  • Information Disclosure: Server version banners, descriptive error messages (without PII), or non-sensitive file paths.
  • Session Management: Logout CSRF or missing Secure/HttpOnly flags on non-authentication cookies.
  • Self-Exploitation: Self-XSS, Self-DoS, or attacks requiring the victim to perform highly unlikely manual actions (e.g., CSV injection, Tabnabbing).
  • Third-Party Platforms: Issues on external sites (e.g., GitHub, Slack, or SaaS providers) or package repositories that are not directly under our administrative control.
  • Purely theoretical attacks that are unproved or based on (incomplete) information or assumptions.

4. Technical scope

The following is a list of items of the infrastructure that falls under this responsible disclosure policy, but in no way fully complete or up-to-date. We do not provide scope in details or up-dated listings beyond that what we list here:

  • All DNS related to (sub)domains abuse.io, scart.io, abuse.nl, abusereportertool.com, abusereportertool.nl, securitymeld.nl and gedragscode-abusebestrijding.nl or others registered to the AbuseIO Foundation.
  • IP address allocations such as 87.251.42.64/27, 213.154.230.96/28, 2001:7b8:63a::/48 or others linked to the same AbuseIO RIPE object(s).
  • Software located in the AbuseIO Github repositories (https://github.com/AbuseIO)

5. The “Stop & Report” Rule (Sensitive Data)

If you accidentally encounter sensitive data during your research, such as Personally Identifiable Information (PII), credentials, or proprietary configuration files, you must:

  • Stop testing immediately.
  • Do not save or share the data.
  • Notify us immediately via your report.
  • Securely delete any local copies once we have confirmed receipt.

6. Submission Guidelines

To qualify for a reward and credit, your report must be high-quality and reproducible on its own.
Email Findings: Send your report to cert@abuse.io and included all the  required Information, such as:

  • Summary: Brief description of the issue.
  • Impact: What is the real-world risk?
  • Steps to Reproduce: A clear, numbered list of steps.
  • Aggregation: Multiple instances of the same bug on the same platform must be submitted as a single report.

7. Our Commitment to You

  • Response: We will acknowledge your report within 5 business days.
  • Confidentiality: We will not share your personal details with third parties without your permission.
  • Recognition: We will credit you as the discoverer in public disclosures (unless you prefer anonymity).
  • Rewards: For accepted, previously unknown vulnerabilities, AbuseIO may offer a reward or a goodie. The amount or item is determined at our sole discretion based on impact and report quality.

8. Coordinated Public Disclosure

We follow a 90-day disclosure window. We ask that you do not reveal the vulnerability to any third party or the public until it has been resolved. AbuseIO reserves the right to make the final determination on what constitutes a security issue and when it is considered “resolved.”

© 2008 - 2026 : The AbuseIO Foundation