Our promise to you
- If you have complied with the above terms of the Responsible Disclosure Policy and have not committed any other breaches, we will not take any legal action against you.
- We will respond to your report within a short period of time
- We will treat your report confidentially and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation.
- We will keep you informed of the progress of solving the problem.
- To thank you for any report of a security problem that is not yet known to us, we offer the opportunity to be listed in our "Hall Of Fame".
- We strive to solve all problems within a reasonable period of time, taking into consideration the criticality of the issue.
- We may choose to ignore low quality reports.
If you have any questions, we encourage you to contact us.
In case of doubt about the applicability of this policy, please contact us first, to ask for explicit permission.
We reserve the right to change the content of this Policy at any time, or to terminate the Policy.
Your promise to us
- Please refrain from using (high impact) automatic scanners, to minimize the chance of a negative effect on our services. Stay below 50 requests / second !!!
- When you notice the target is having problems responding to normal requests, please stop the test. You are also encouraged to inform us of this type of problem.
- Don’t disclose the vulnerability until we have been able to correct it. See below for possible publication.
- Don’t exploit the vulnerability by unnecessarily copying, deleting, adapting or viewing data. Or, for example, by downloading more data than is necessary to demonstrate the vulnerability.
- Don’t apply the following actions:
- Placing malware (virus, worm, Trojan horse, etc.).
- Copying, modifying or deleting data in a system.
- Making changes to the system.
- Repeatedly accessing the system or sharing access with others.
- Using automated scanning tools.
- Using the so-called "brute force" of access to systems.
- Using denial-of-service or social engineering (phishing, vishing, spam,...).
- Don’t use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
- Immediately erase all data obtained through vulnerability as soon as it is reported to the VRT.
- Don’t perform actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.
Acts under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities, and sharing this information with the VRT.
If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.
This text is a derivative work of "Responsible Disclosure" by Floor Terra, used under a Creative Commons Attribution licence 3.0.