NotificationWe ask you to report your findings as soon as possible after discovery to firstname.lastname@example.org
We ask you
- Report as soon as possible to prevent malicious parties from finding the vulnerability and taking advantage of it;
- Report to the organization in a confidential manner to prevent others from gaining access to this information;
- Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. A description of the vulnerability is usually sufficient, but more complex vulnerabilities may require more;
- Do not disclose the vulnerability or problem to others until it is resolved;
- Do not place your own backdoor in an information system in order to subsequently demonstrate the vulnerability, since this can cause additional damage and run unnecessary security risks;
- Abuse a vulnerability no further than is necessary to determine the vulnerability;
- Do not copy, change or delete data from the system. An alternative to this is making a directory listing of a system
- Do not make any changes to the system;
- Do not access the system repeatedly or share it with others;
- Do not use gross force attacks, social engineering, physical security, social engineering, distributed denial of service, spam or third-party applications to gain access to systems.
What we promise
- We respond to your report within 5 days with our assessment of the report and an expected date for a solution;
- If you have complied with the above conditions, we will not take legal action against you regarding the report;
- We will treat your report confidentially and will not share your personal information with third parties without your permission, unless this is necessary to meet a legal obligation. Reporting under a pseudonym or anonymous is possible;
- We will keep you informed of the progress of solving the problem;
- In reporting on the reported problem, we will, if you wish, state your name as the discoverer;
- We strive to resolve all issues as quickly as possible and are happy to be involved in any publication about the issue after it has been resolved.
No invitation to active scanningOur so-called coordinated vulnerability disclosure policy is not an invitation to actively scan our network or our systems for weak spots. We monitor our company network ourselves, which means there is a good chance that we will pick up your scan, which may lead to unnecessary costs.
This policy has been drawn up on the basis of the Guidelines Coordinated Vulnerability Disclosure policy (CVD) from the National Cyber Security Center (NCSC).