Responsible Disclosure Policy

Safety & Integrity

CM.com is a listed company that provides Conversational Commerce services from its privately owned cloud platform with 100% in-house developed software. We believe that mobile communication will result in mobile commerce. Therefore, we continuously develop our private cloud platform, shaping the future of Conversational Commerce.

We aim to be flexible, scalable and fast at delivering the services to our customers, while maintaining the highest standards in security and compliance. Therefore, all software on CM.com’s platform is designed and developed by our own staff. The platform runs on own and self-operated servers and software and is hosted in both our own data centers and external data center locations of top-tier certified suppliers.

Providing an online infrastructure for communication and payments comes with great responsibility. Therefore, ensuring the availability, integrity and confidentiality of our platform is CM.com’s top priority. CM.com greatly values the safety and integrity of its platform. Our IT department is active 24/7 to monitor security and meets the requirements set for appropriate technical and organizational measures.

Despite the effort we put into the security of our systems, there may still be vulnerabilities.

Reporting Suspected Vulnerabilities

Did you as a security researcher or a client discover a vulnerability in our system? Please help us by reporting these to us, so that we can improve the safety and reliability of our systems together. If you would like to report a vulnerability or have a security concern regarding the website of CM.com or its services, please email [email protected]. For our clients they are also welcome to submit their request to [email protected].

Our support team and a team of security experts will investigate the submitted finding(s) To make it easier for us to reproduce the finding , please also include your steps to reproduce or your proof of concept. We will confirm the received submission via e-mail within five working days. We will treat a submitted report as confidential and will not share (your) personal data with third parties without (your) permission. We will keep the submitter informed about the progress of solving the problem.

Please note: not to disclose findings without prior written notice by us.

Applicable Rules

• Don't abuse any vulnerabilities. Please make sure that you do not cause any damage with the vulnerability you have discovered. Under no circumstances may your actions lead to a deliberate interruption of the services or to the disclosure of client data.
• Please refrain from using social engineering to gain access to a system and/or do not use automated scanners to detect vulnerabilities.
• Limit the use of a vulnerability to an absolute minimum. Do only what is necessary to establish the vulnerability.
• Do not make any system changes or remove/copy any data from the system.
• You shall not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability.