At Rootline B.V. , we take the security of our systems and customer data very seriously. Despite our best efforts, vulnerabilities may still exist. We appreciate responsible disclosures from security researchers and ethical hackers to help us improve our security posture.
Scope
This policy applies to the following systems and services owned and operated by Rootline:
rootline.com
Any other system explicitly mentioned as in-scope by our security team
Guidelines for Responsible Disclosure
If you discover a vulnerability, we ask that you:
Report it as soon as possible by contacting us at info@rootline.com.
Provide sufficient information to reproduce and verify the vulnerability, including steps, screenshots, and proof-of-concept code where applicable.
Avoid disclosing the vulnerability to the public or third parties before we have had the opportunity to investigate and remediate it.
Not exploit the vulnerability beyond the necessary steps to demonstrate it.
Avoid actions that could compromise our customers' data, disrupt services, or impact the confidentiality, integrity, and availability of our systems.
Comply with all applicable laws and regulations.
What We Promise
If you report a vulnerability responsibly:
We will acknowledge receipt of your report within 20 business days.
We will investigate the issue and provide you with an estimated timeline for resolution.
We will keep you informed of our progress and, where applicable, publicly acknowledge your contribution with your consent.
We will not take legal action against you as long as you adhere to this policy.
Out of Scope
This policy excludes the following vulnerabilities, subject to Rootline’s discretion:
potential security configuration issues without a working proof-of-concept, including CSP, weak SSL/TLS ciphers, email authentication problems, cookie flag settings, rate limiting, and security header deficiencies,physical compromise or intrusions,
rate limiting or brute-force issues on non-authenticated endpoints,
compromises involving an insider,
social engineering (including phishing attempts),
spamming notifications or other attacks that are noisy to users or admin,
reflected file downloads,
account takeovers (including any brute force attacks on accounts that are not yours),
red-teaming, adversarial testing,
content spoofing and text injection issues,
denial of service attacks,
clickjacking on pages with no sensitive actions or cross-site request-forgery (CSRF) on forms with no sensitive actions,
self-exploitation, such as self-XSS or self-DoS (unless it can be used to attack a different account)
dependency hijacking, or
any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days
We welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety of our system.
Reward and Recognition
We may offer recognition or rewards for valid reports based on severity and impact, at our discretion.
Legal Considerations
This policy is designed to align with the Dutch Coordinated Vulnerability Disclosure guidelines. If you act in good faith and adhere to the terms of this policy, we will not initiate legal proceedings against you.
Contact
To report a security vulnerability, please email us at info@rootline.com with the subject line "Responsible Disclosure Report."
We appreciate your cooperation in helping us maintain a secure environment for our customers and partners.
Last Updated: 6 May 2025
Rootline BV
Prinsengracht 449a
1016 HN Amsterdam
The Netherlands
