This policy applies to all systems and domains operated by Slash2 and on behalf of our customers. Reports will be handled centrally by our security team, in coordination with the affected customer when needed.

• Send your findings to security@slash2.nl
• Encrypt sensitive details with our PGP key
• Include enough information for us to reproduce the issue (steps, screenshots, proof of concept)

• Do not abuse or exploit the vulnerability.
• Avoid actions that could disrupt services (e.g. DDoS, brute force, social engineering).
• Respect privacy: do not access, copy or share more data than necessary.
• Limit testing to what is strictly required to prove the finding.

• We will acknowledge your report within a few business days.
• We will investigate and remediate issues in a timely manner.
• We will keep you informed about the status of your report.
• We will treat your report confidentially and will not take legal action if you follow this policy.
• With your consent, we may credit you in our acknowledgments.

We focus our attention on findings that present a real security risk.  
Some issues have little or no practical impact and will generally not be considered valid.

Examples of what is not in scope:

• Typos, broken links, or other content errors  
• Clickjacking on pages without sensitive actions  
• Use of HTTP headers that could be more strict, but already provide a secure baseline  
• Rate-limiting concerns without evidence of actual abuse