Responsible disclosure

How do you report a problem?

• Report a vulnerability as soon as possible. Send the finding via our upload portal. If the portal doesn’t work? Please contact us at: +31588458000
• Please provide us with as much information as possible so that we can reproduce the problem. This includes a detailed description of the steps you have taken, IP addresses used, logs, screenshots, etc. This helps us to solve the problem as quickly as possible.
• We would like to receive your e-mail address and phone number. So that we can contact you if we have further questions and thank you for your help.

What should you pay attention to?

• Do not share the information about the vulnerability with third parties.
• Destroy the data you obtained.
• Do not go beyond what is necessary to demonstrate the problem.
• Do not exploit the vulnerability. If this happens, we will report it to the police.

What is not allowed?

• Placing malware.
• Making copies of data, changing data or deleting data.
• Making adjustments in or to our systems.
• Access our systems multiple times or share them with others.
• Using “brute force” techniques to gain access to our systems.
• Using (D)DoS or social engineering techniques.

What not to report:

• Physical attacks.
• Non-reproducible situations.
• Exploits that cannot be validated with a second method/tool.
• User errors
• Simple enumerations, OS version numbers, services and ports.
• Publicly available files that should be publicly available.
• Missing HTTP-only flag on cookies that do not contain sensitive information.
• TLS misconfiguration with no proof of concept that this vulnerability can be exploited.
• Incomplete or missing SPF, DKIM or DMARC records.
• Services running at third parties (consult their own responsible disclosure page).
• E-mail addresses found in a data breach at a third party.
• Vulnerabilities for which patches have been released in the last 2 weeks.
• URLS redirects (to a valid page).

Known issues

If problems are already known to us and are already being worked on, or if we have designated them as accepted risks, the report will not be processed further. This will then be indicated by our employees.

What can you expect from us?

• We will send you a response within 1 working day so that you know that the report has arrived.
• We will send you an email within 5 working days with a substantive response and, if possible, an expected resolution date.
• We treat your report confidentially and we will keep you informed of the progress.
• We do not attach any legal consequences to the report, if the above is taken into account.