Reporting of vulnerabilities

Responsible Disclosure

If you believe you’ve found a security issue in our code, we encourage you to notify us. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users and we will consider rewarding valid, in-scope submissions.

How can we work together to secure systems?

We ask you:

  • send your findings to the email address [email protected] as soon as possible; or use the web-form to prevent your findings falling in the wrong hands. See the vulnerability reporting form below.
  • do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data. Be extra cautious when personal data is involved.
  • do not share information on vulnerabilities until they have been resolved and erase any data obtained through vulnerabilities as soon as possible;
  • do not attack physical security or third-party applications, use social engineering, spam, malware or orchestrate (distributed) denial of service attacks;
  • provide sufficient information to allow us to reproduce the vulnerability and provide a quick resolution
  • an IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, but complex vulnerabilities may need additional information.

We promise:

  • if you comply with the above requests we will not take legal action against you regarding the reported vulnerability. The Dutch Public Prosecution Service will never forfeit their right to investigate and prosecute unlawful actions.
  • we respond to your report with an assessment within 1 week and provide an estimated time to resolution;
  • we treat your report confidentially and will not share your personal data unless required by law;
  • we will keep you informed of our progress in resolving the issue;
  • in reporting on the vulnerability we will, if you wish, mention you as the contributor;
  • reporting anonymously or under a pseudonym is possible. Please be aware that we will not be able to contact you on the next steps, our progress or any reward for the report;
  • as a token of our appreciation for your help, we offer a reward for any first report of an unknown vulnerability. The exact reward will be determined by the severity of the vulnerability and the quality of the report, ranging from an honourable mention to a gift.
  • we strive to resolve any vulnerability as soon as possible.

What doesn't classify as a vulnerability:

  • intentional listing of directory contents for research or publication purposes; SPF, DKIM, DMARC issues.
  • scanner output or scanner-generated reports, including any automated or active exploit tool
  • any vulnerability obtained through the compromise of employee account
  • missing ‘secure’ or ‘http only’ flags on non-sensitive cookies
  • reporting obsolete or upgradable software versions without exploit and working proof of concept
  • missing DNSSEC configuration
  • account takeover (PLA, User enumeration, etc)
  • xmlrpc.php accessibility
  • clickjacking, Login/logout CSRF
  • fingerprinting, error message disclosure
  • protocol level attacks (e.g BEAST/BREACH)
  • lack of security headers, httponly flags, etc

Vulnerability reporting form


Do you want to be publicly acknowledged?

Vulnerability Description

Please describe the vulnerability:


cookie
We use third-party cookies in order to personalize your site experience!