Coordinated Vulnerability Disclosure (CVD)
Also known as: Responsible disclosure
We consider the security of our systems a top priority, but no matter how much effort we put into system security, vulnerabilities can still be present.
If you discover a vulnerability, we would like to know so that we can take measures to fix it as quickly as possible. We want to ask you to help us better protect our customers and our systems.
Please do the following:
- E-mail your findings to firstname.lastname@example.org (this e-mail address is managed by our incident manager and chief information security officer).
- Do not exploit the vulnerability or problem you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability or by deleting or modifying data belonging to others;
- Don’t tell others about the problem until it’s resolved;
- Do not attack physical security, social engineering, distributed denial of service, spam or third-party applications; and
- Please provide enough information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but complex vulnerabilities may require further explanation.
What we promise:
- We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date;
- We treat your report as strictly confidential and do not pass on your personal data to third parties without your consent;
- We will keep you updated on the progress of resolving the issue;
- In the public information about the reported issue, we list your name as the discoverer of the issue (unless you request otherwise); and
- As a thank you, we offer a reward for every report of a security issue that we were not aware of. The amount of the reward is determined on the basis of the seriousness of the leak and the quality of the report. The minimum reward is a €50 gift card.
We strive to resolve all issues as quickly as possible and would like to play an active role in the eventual publication of the issue after it is resolved.