We consider security a top priority. However, despite our efforts to deliver safe systems, vulnerabilities may exist.
If you do find a vulnerability in one of our systems, please notify us as soon as possible. We would happily cooperate with you to make our systems safer and protect our users!
Our Responsible Disclosure Policy is not an invitation to extensively test our systems.
Since we are based in The Netherlands, we are subject to the laws applicable there.
We ask you:
- To send your findings to email@example.com, if possible encrypted with our PGP-key.
- To not abuse the exploit by downloading, changing or deleting data. We will always take your report seriously and we will investigate any suspicion of a vulnerability existing in our systems.
- To not share the exploit with others until the problem has been fixed.
- To not use the following attacks:
- Physical security attacks
- Social Engineering attacks
- Distributed Denial of Service attacks
- Use of hacking tools, like vulnerability scanners
- To give us sufficient information to reproduce the problem. This makes the process of fixing the problem easier. Usually, an URL and description of the vulnerability is sufficient. However, more information may be required.
We promise you:
- To react within five (5) working days with our assessment of the problem.
- To handle your report as confidential. We will not share your personal information without prior permission.
- To keep you updated while we fix the problem.
- To credit you, if you allow us, in our reporting to the public
- We cannot rule out legal actions against you. This depends on the situation. We feel a moral responibilty to report any incident to the (Dutch) police the moment we feel a exploit is being abused, or that you shared an exploit with others. Vulnerabilities found by accident usually do not result into a report to the police.
- To reward you, if possible.