Responsible Disclosure

At the Talya Bilişim we greatly value the support of IT security researchers and members of cybersecurity communities in helping us to maintain our high IT security standards. If you identify an IT security vulnerability relating to any of our websites please notify us promptly before disclosing the vulnerability to the outside world, so that we can take the necessary measures. This is known as responsible disclosure. Please keep all information relating to the discovered vulnerability secret from all third parties for a period of at least 90 days, allowing us to identify and implement the measures needed to address the issue you have reported. The current scope for reporting includes the following websites: the Elektraweb main website : www.elektraweb.com the Elektraweb PMS website :  app.elektraweb.com How do you notify us? If you have identified a security vulnerability, please proceed as follows: Send us your notification as soon as possible via email to [email protected] Please include the following information in your report:

• your contact details (i.e. name, email address etc.)
• the type of vulnerability identified
• the service/device/application impacted by the vulnerability
• a detailed description of the problem encountered
• the IP address(es) from which the security vulnerability was identified, together with the date and time of the discovery
• a compressed archive (zip) with any files that can help in reproducing the flaw (e.g. screenshots, images, text files with description details, source code, scripts, logs, source IP addresses, etc.).

Please act responsibly in dealing with your discovery of the identified security vulnerability. Do not take any actions that go beyond what is needed to identify and verify the issue. Please do not use the identified security vulnerability to your own advantage and avoid storing any confidential data obtained as a result of the issue. Examples of vulnerabilities we will consider

• Injection and deserialization vulnerabilities (SQL injection, command injection, object deserialization)
• Broken authentication and broken access control vulnerabilities (incorrect implementation of authentication, session management, access control)
• Sensitive data exposure (vulnerabilities that can lead to data leakage)
• Cross-site scripting
• Cross-site request forgeries
• Server-side request forgeries
• Redirect vulnerabilities
• Underprotected API

Examples of vulnerabilities we will not consider We continuously monitor our internet-exposed assets to identify security issues and misconfigurations, and we therefore kindly ask that you avoid reporting the following items if they don’t lead to actual exploitation:

• Weak configurations of the TLS protocol
• Reports of non-compliance with best practices (e.g. for SPF/DKIM/DMARC configuration, content security policy, TLS misconfigurations)
• Output of well-known automated tools/solutions.

How will we respond? If you report a security vulnerability relating to any of our websites specified above, we will process your report as follows.

• We will confirm receipt of your report within two business days.
• We will send you our response within five business days following the confirmation of receipt, setting out our assessment of the issue and the expected resolution date. In some special circumstances, we reserve the right to extend this period by giving appropriate notice.
• We will treat your report as confidential and will not share your details with third parties, except when obliged to do so by law.

We are currently not running a reward programme for reporting vulnerabilities. Privacy statement You can refer to the privacy statement for more information on how we handle your personal data within the Responsible Disclosure Programme.