Vulnerability discovered? Let us know.
If you notice a vulnerability in one of our systems, we ask the discoverer to contact us. We appreciate the careful reporting of such vulnerabilities according to the conditions below and are happy to cooperate so that we can take action as soon as possible.
We ask you to adhere to the following conditions:
- E-mail your findings to email@example.com.
We would like to get in touch with you to (safely) exchange necessary details. Usually the IP address, domain name or URL of the affected system and a description of the vulnerability is sufficient, but with more complex vulnerabilities more may be needed.
- Do not abuse the problem or share it with others until it is resolved.
- Delete any confidential data obtained immediately or at the latest after the leak has been plugged.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
If you have complied with the above conditions, we will not take any legal action against you regarding the report.
This responsible disclosure policy applies exclusively to:
Further processing takes place as follows:
- As soon as possible, but at the latest within 4 working days we will respond to the report. If possible, we will give our assessment and an expected date for a solution. We will keep you informed about the progress of solving the problem.
- We strive to solve all problems as soon as possible and we would like to be involved in any publication about the problem after it has been solved.
- We will treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation.
No invitation for abuse
When investigating a vulnerability in one of our systems, please take into account the proportionality of the attack. You don’t have to prove that if you carry out a large (D)DoS attack on 1 of our services, we will be down for a while. We know that.
So this is not an invitation to actively scan our networks to discover weak spots. Brute force attacks, (D)DoS and social engineering fall outside the scope of this Responsible Disclosure policy.
Do not perform (D)DoS attacks.
Secondly; do not test rate-limits on forms. The disruption these ’tests’ cause are worse than any possible discovery of rate-limit vulnerabilities.
Reports that are based on the following findings or scenarios are excluded from this responsible disclosure policy:
- Findings related to SPF, DKIM and DMARC records or absence of DNSSEC.
- Absence of HTTP security headers.
- CSRF on forms that can be accessed anonymously (without a session).
- Brute-force, (D)DoS and rate-limit related findings.
- Clickjacking and related vulnerabilities.
- Reports of unsafe SSL/TLS protocols and related misconfigurations.
- Possibly outdated server or application versions (from external parties) without proof of vulnerability and proof of exploitation.
- Version exposure (unless you deliver a PoC of a working exploit).
- Disclosure of known public files or directories or non-sensitive information.
- Reports from automated tools and scans.
Do not submit reports of these excluded findings. These are probably known & accepted risks or previously reported.
As a thank you for your help, we offer a reward for reporting an as yet unknown security issue that fully conforms to this policy. We determine the size of the reward based on the severity and quality of the report.
If it concerns a previously reported, low or accepted risk vulnerability, the report does not qualify for a reward.
We will not reward when you are living in a country listed on an EU or UN sanction lists.
This responsible disclosure policy is based on responsibledisclosure.nl and the NCSC’s CVD policy guideline.