version January 7, 2021

Vulnerability discovered? Let us know.

If you notice a vulnerability in one of our systems, we ask the discoverer to contact us. We appreciate the careful reporting of such vulnerabilities according to the conditions below and are happy to cooperate so that we can take action as soon as possible.


We ask you to adhere to the following conditions:

  • E-mail your findings to
    We would like to get in touch with you to (safely) exchange necessary details. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but with more complex vulnerabilities more may be needed.
  • Do not abuse the problem or share it with others until it is resolved.
  • Delete any confidential data obtained immediately or at the latest after the leak has been plugged.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or third party applications.

If you have complied with the above conditions, we will not take any legal action against you regarding the report.


This responsible disclosure policy applies exclusively to:


Further processing takes place as follows:

  • As soon as possible, but at the latest within 3 working days we will respond to the report. If possible we will give our assessment and an expected date for a solution. We will keep you informed about the progress of solving the problem.
  • We strive to solve all problems as soon as possible and we would like to be involved in any publication about the problem after it has been solved.
  • We will treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation. In reporting the reported problem, we will, if you wish, include your name as the discoverer.

No invitation for abuse

When investigating a vulnerability in one of our systems, please take into account the proportionality of the attack. You don’t have to prove that if you carry out a large (D)DoS attack on our website, we will be down for a while. We know that.

So this is no invitation to actively scan our networks to discover weak spots. Brute force attacks, (D)DoS and social engineering fall outside the scope of this Responsible Disclosure policy.

Do not perform (D)DoS attacks.


As a thank you for your help, we offer a reward for reporting an as yet unknown security issue. We determine the size of the reward based on the severity and quality of the report.

If it concerns a low or accepted risk vulnerability then Ibuildings most probably will decide that the report does not qualify for a reward. These are in any case:

  • Findings related to SPF, DKIM and DMARC records.
  • Absence of DNSSEC.
  • Absence of HTTP security headers.
  • CSRF on forms that can be accessed anonymously (without a session).
  • Brute-force, (D)DoS and rate-limit related findings.
  • Clickjacking and related vulnerabilities.
  • Reports of unsafe SSL/TLS protocols and related misconfigurations.
  • Possibly outdated server or application versions (from external parties) without proof of vulnerability and proof of exploitation.

This responsible disclosure is based on and the NCSC’s CVD policy guideline.