version October 24, 2020

Vulnerability discovered? Let us know.

If you notice a vulnerability in one of our systems, we ask the discoverer to contact us. We appreciate the careful reporting of such vulnerabilities according to the conditions below and are happy to cooperate so that we can take action as soon as possible.

Conditions

We ask you to adhere to the following conditions:

  • E-mail your findings to security@ibuildings.nl.
    We would like to get in touch with you to (safely) exchange necessary details. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but with more complex vulnerabilities more may be needed.
  • Do not abuse the problem or share it with others until it is resolved.
  • Delete any confidential data obtained immediately or at the latest after the leak has been plugged.

Scope

This responsible disclosure policy applies exclusively to:

  • *.ibuildings.nl
  • *.ibuildings.com
  • *.phpconference.nl
  • *.ib-services.nl

Process

Further processing takes place as follows:

  • As soon as possible, but at the latest within 3 working days we will respond to the report. If possible we will give our assessment and an expected date for a solution. We will keep you informed about the progress of solving the problem.
  • We strive to solve all problems as soon as possible and we would like to be involved in any publication about the problem after it has been solved.
  • We will treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation. In reporting the reported problem, we will, if you wish, include your name as the discoverer.
  • If you have complied with the above conditions, we will not take any legal action against you regarding the report.

Reward

As a thank you for your help, we offer a reward for reporting an as yet unknown security issue. We determine the size of the reward based on the severity and quality of the report.

If it concerns a low or accepted risk vulnerability then Ibuildings can decide that the report does not qualify for a reward. These are in any case:

  • Findings related to SPF, DKIM and DMARC records.
  • Absence of DNSSEC.
  • Absence of HTTP security headers.
  • CSRF on forms that can be accessed anonymously (without a session).
  • Brute-force, (D)DoS and rate-limit related findings.
  • Clickjacking and related vulnerabilities.
  • Reports of unsafe SSL/TLS protocols and related misconfigurations.
  • Possibly outdated server or application versions (from external parties) without proof of vulnerability and proof of exploitation.

This responsible disclosure is based on responsibledisclosure.nl with thanks to Floor Terra.