Responsible Disclosure Policy
If you have found a weak spot in one of the ICT systems within our network, we would like to hear about this from you, so the necessary measures can be taken as quickly as possible to rectify the vulnerability. We collaborate with you in order to better protect our customers and our systems.
We ask you to:
- E-mail your findings to firstname.lastname@example.org.
- Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem.
- Do not share the information on the security problem with others until the problem has been solved.
- Do not utilize attacks on physical security, social engineering, distributed denial of service attacks, spam or third party applications.
- Report the vulnerability as quickly as possible after its discovery.
- Provide sufficient information to reproduce the problem so that we can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities.
What you can expect from us:
- We respond within three working days to a report with an assessment of the report and an expected date for a solution.
- If you comply with the conditions above when reporting the observed vulnerability in one of our ICT systems, we will not attach any legal consequences to this report.
- We will handle a report confidentially and will not share personal details with third parties without permission from the reporter, unless this is mandatory by virtue of a judicial decision.
- We will keep the reporter up-to-date on the progress made with solving the problem.
- In mutual consultation, we can, if you desire, mention your name as the discoverer of the reported vulnerability.
- We offer a place on our Responsible Disclosure Hall of Fame as a thank you for reporting a security problem that is unknown to us. For reporting security issues we consider very serious, we may offer additional rewards. The reward offered varies (no cash though), depending on the seriousness of the security problem and the quality of the report.
We strive to resolve any security problems as quickly as possible and we like to be involved in any publication about the problem after it has been resolved.
Check our Responsible Disclosure Hall of Fame