Responsible Disclosure Policy

The security of our websites and software products is essential to us and our customers. In spite of our care, procedures and best efforts it is possible that there are vulnerabilities in our websites or software products. If you find any, please tell us as soon as possible so we can fix it.

We ask you to:
E-mail your findings to:

Give us enough information to be able to reproduce the problem so we can fix it a.s.a.p. Usually the URL or file that contains the vulnerability and a description of the vulnerability is enough but when the issue is complicated more info may be required. Give us your contact information so we can contact you when we have questions. Inform us of the vulnerability as soon as possible after you discover it. Do not share any information regarding the vulnerability with third parties until it is fixed. Be responsible by not taking any actions other than the minimum required to verify the vulnerability.

The following is explicitly NOT allowed:

  • Uploading malware, virusses, trojans etc.
  • Changing or removing information
  • Changing the system configuration
  • Sharing access with others
  • Using denial-of-service attacks
  • Anything that damages or has a negative impact on the availability of our websites, or the systems of the users of our software

If you think you have found a vulnerability but feel you cannot produce proof of compromise without complying with the above restrictions, please contact us.

What you can expect from us:

  • If you play by the rules set above when finding security vulnerabilities, we will not pursue any legal action against you regarding the discovery of the vulnerabilities you reported to us.
  • We treat every report with the highest confidentiality and will never share your personal information without your express consent, unless we are forced to do so by a legally binding court order.
  • If you give us permission, we will credit you for reporting a confirmed vulnerability by putting your name in a thank you section on our website and release notes.
  • We will send you a confirmation of the receipt of your report within one business day
  • We will respond to a report within 3 business days with an assessment of the vulnerability and the expected time needed to fix the issue
  • We will keep you informed of the progress we make in fixing the issue
  • We aim to fix the issue reported by you a.s.a.p. The maximum time we may take to fix any issue is 60 days after getting the report.

What we do with vulnerabilities we find ourselves:
When we find vulnerabilities in software of websites we use we will inform the responsible parties according to their responsible disclosure policy.

Based on the “Leidraad Responsible Disclosure” by Floor Terra

Only reports of real vulnerabilities with proof that you personally can exploit them are eligible for rewards. Please DO NOT submit output from automated scanning tools without personally verifying the reported vulnerabilities.

We may reward real world exploitable vulnerabilities with proof of compromise with monetary compensation ranging from €100 to €10,000, depending on the possible impact of the vulnerability. Eligibility and size of bounties are solely at our discretion.

Reports of old software versions or missing best practices without proof of exploitability will just earn you in our gratitude.

Reporting data breaches
Your privacy and the confidentiality of you and your data is very important to us. In spite of the care we take protecting your data it is possible for information to leak. This is how we would handle such an event:

What we consider a data breach
A situation where we know or can reasonably suspect that unauthorized access to personal or business information entrusted to us has occurred

How we respond to a data breaches
After finding out about the data breach, our highest priority is fixing the leak and preventing damage to those concerned. We will investigate the breach to determine how and what data was leaked, what the cause of the breach was and who had access to the leaked data. We will take actions to prevent this from happening again. When we find illegal acts have been a factor in the data breach we will report this to the police.

Who do we inform about a data breach
We will inform all persons and organisations affected by the data breach. We will inform the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) whenever Personally Identifiable Information is involved.