RFC 9116 · Security disclosure

Security disclosure policy

RiskFinder bygger værktøjer til kritisk infrastruktur. Vi tager sikkerhedsfejl alvorligt og værdsætter ansvarlig afsløring fra researchere, kunder og samarbejdspartnere.

Book Demo
Contact

How to report a vulnerability

If you believe you have found a security vulnerability in RiskFinder — in the marketing site, the application, our API endpoints or our infrastructure — please report it to us privately:

Please include enough detail for us to reproduce the issue: a description, steps to reproduce, the affected URL or endpoint, and ideally a proof-of-concept. Encrypted messages are welcome — ask us for a current PGP key.

At a glance
Primary contact[email protected]
First responseWithin 3 business days
DisclosureCoordinated, 90 days default
BountyPublic acknowledgment, no monetary bounty
Safe harborYes — see below
What to expect

Our response timelines

  • Within 3 business days — acknowledgment of your report
  • Within 14 days — initial triage with severity assessment
  • Critical issues — mitigation typically within 7 days
  • Coordinated disclosure — default 90 days from report; we will negotiate longer if a fix requires it, and we will not pressure you to delay disclosure beyond what is reasonable
  • Public credit — with your permission, we will acknowledge your contribution publicly after the fix has shipped

No bug bounty — but real gratitude

RiskFinder does not currently run a paid bug bounty programme. We do offer public acknowledgment, a written letter of thanks, and (for substantial findings) RiskFinder swag and a beer if you're ever in København.

Scope

What is in scope

Anything we operate is in scope, including but not limited to:

  • www.riskfinder.dk and riskfinder.dk (this site)
  • API endpoints under /api/ (Cloudflare Workers)
  • The RiskFinder application (subdomain to be confirmed during disclosure)
  • Email and authentication infrastructure operated by RiskFinder

Out of scope: third-party services we do not operate (Cloudflare, Resend, GitHub, PostHog, Google Analytics) — please report those directly to the vendor. Volumetric DoS, social engineering of staff, and physical attacks are also out of scope.

Especially welcome

Findings related to our beredskab and BEK 260 product are especially welcome — we ship a security tool, and integrity matters more than ego. Authentication bypasses, IDOR, SSRF, RCE, broken access control, secret exposure, and supply-chain risks are the categories we most want to hear about.

Safe harbor

Safe-harbor commitment

We will not pursue civil or criminal action against researchers who, in good faith:

  • Test only on accounts and data they own, or that we have explicitly authorised them to test
  • Avoid privacy violations, service disruption, and data destruction
  • Report findings privately to us before public disclosure, and give us reasonable time to respond
  • Do not exfiltrate more data than is strictly necessary to demonstrate the vulnerability

If in doubt about whether your testing is in scope or in good faith, email us first — we are happy to clarify.

Out of scope reports
SPF/DKIM/DMARCAlready configured
Missing security headersWithout exploitable impact
Self-XSSWithout victim flow
Volumetric DoSUse Cloudflare WAF reports
Outdated CMS infoWe do not run a CMS
Reference

Machine-readable policy

This page is the human-readable security policy. The machine-readable equivalent (RFC 9116) is at /.well-known/security.txt and lists current contact addresses, expiration date and preferred languages.

Book Demo