⚠️ DO NOT CREATE ANY PUBLIC ISSUE OR POSTS related to (potential) security related findings.
Instead, send an email to [email protected], sharing your preferred contact method (email, telegram, discord, etc) along with your github handle. We will get back to you within 1 business day with confirmation of receiving your report and proposed next steps. Learn more.
Cere does not publicly disclose or confirm security vulnerabilities until Cere has conducted analysis in cooperation with a 3rd party security auditing firm.
We work with security experts at Halborn to complete critical analysis of reported vulnerabilities.
By submitting a vulnerability report ("Report"), you agree to not publicly disclose or share the reported vulnerability with any third party. Cere must be informed in advance about your intended publications and their content. The publication must NOT include any customer, confidential or sensitive data, and must focus on the technical vulnerability discovered.
In the event of publication, Cere and you shall mutually agree on a coordinated disclosure.
If you submit a Report which affects a third-party service, we will limit the information that we share with any affected third party. We may share non-identifying content from your report with an affected third party. We will not share your identifying information with any affected third party without first obtaining your written permission.
Reporting
If the reporter has the opportunity to access personal data or particularly sensitive personal data, the reporter shall notify Cere immediately in writing by email [email protected].
Introduction
Cere has no authority to issue instructions or to monitor the reporter. The reporter organizes and provides his services in this context according to his own organizational considerations and on his own professional and entrepreneurial responsibility, in particular with reference to the determination of the place of performance and the hours of activity. The reporter decides freely and independently how the service is provided. The reporter uses his own working tools to provide the services. The reporter is not entitled to any compensation in this regard.
In any case, Cere is entitled to all (work) results including the technical database and processing methods in connection with and / or resulting from the advisory activity in accordance with this agreement.
Data secrecy
The reporter is also obliged to maintain data secrecy in all of his activities for the client. Specifically, this means that the reporter keeps all information, data and personal data known or entrusted to him secret and does not pass it on to third parties.
Data protection
The reporter is obliged to comply with all data protection provisions and applicable data protection regulations within the scope of his activity and applies the necessary care to protect data. Data protection violations detected by the reporter must be reported to the client immediately. In particular, the reporter must observe the data protection regulations and instructions of Cere. Deficits in the Cere security system discovered by the reporter must be reported to the client immediately.
Data minimisation
The reporter must limit the amount of data accessed to a strict minimum. You are expected to access the minimal amount of data necessary to prove the existence of a vulnerability!
Social engineering
Any social engineering techniques such as phishing, smishing or vishing are forbidden.
Taxes
The reporter is solely responsible for the correct taxation of fees received. In the event that the payments are subject to VAT, the client shows the VAT and the VAT is paid by the client. The reporter furthermore guarantees that he will independently pay all (social) insurance contributions as well as all taxes and duties required by the applicable legislation for the provision of the advisory activity. At the request of the client, the reporter will provide evidence of having met these obligations.
All taxes and all awards must be abided to according to your current situation and the applicable laws which apply. We are not able to pay bounty awards to individuals who are on a U.S. sanctions list or in a country on a U.S. sanctions list.
Confidentiality
The reporter is obliged to keep all data, personal data and information received in connection with his consulting activity confidential and not to pass them on to third parties. The abstract naming of a system vulnerability found is expressly not covered by the obligation of secrecy. However, the name may only be given after Cere has remedied the vulnerability.
In addition, the reporter is obliged to treat business and manufacturing secrets known to him confidentially and not to pass them on to third parties. The duty of confidentiality remains in place even after the consultation contract has ended. The reporter undertakes under no circumstances to establish direct or indirect contact and communication with the customers and customers of the customer.
After completing his consulting work, the reporter will return in full all physical and digital documents, documents and data that he received in the course of fulfilling this consulting contract. Copies of documents, data and documents may not be made.
Bank account
The reporter has to name a wallet address and some KYC for processing.
IP
Cere does not claim ownership rights to anything you report. However, by providing any report to Cere, you: