Coordinated Vulnerability Disclosure
Collaborate with us
If you nevertheless notice a weak spot in one of our IT systems, we would appreciate it if you would report it to us first. Publicising weak spots in our IT systems without having spoken to us about them first may have serious consequences, however good your intentions are.
Reporting weak spots
Please fill out the form at the bottom of this page.
What will happen to your report?
Someone will contact you within 1 working day to notify you that the report has been received.
A team of security experts will investigate your report in the meantime and someone will contact you within 3 working days. This may be in relation to the weak spots you have identified, how you found these and any subsequent steps.
Don’t be afraid. Your personal data will only be used to undertake further action based on the information you provide in your report. In principle, we will not share your personal data with third parties without your permission.
It’s important that you stick to the rules
During your investigations, you may carry out actions that are punishable by law. As long as you keep to the rules for reporting weak spots in our IT systems, we will not report you to the police or claim for losses or damage.
We cannot guarantee that you will never be prosecuted if you commit a punishable offence during the course of your investigations, even if we do not report such an offence. The public prosecutor always has the final say as to whether or not you will be prosecuted. We have no say in this.
- Be responsible and careful;
- Only use methods that are strictly necessary for finding or pointing out the vulnerabilities;
- Use the weaknesses you have identified only for your own investigations and never for any other purpose;
- Do not use social engineering, brute-force attacks or lateral movement to gain access to a system. Denial of service attacks are also not welcome;
- Do not install a backdoor in a system, even with the intention of demonstrating the vulnerability. A backdoor renders a system even more insecure;
- Do not change or delete any details in the system;
- Never copy more data than necessary. If a single record is sufficient for your investigations, do not copy any more;
- Do not penetrate a system more often than necessary;
- Last but not least, do not share the access you gained with others.
What is not in our scope?
Motiv ICT Security will not proceed any vulnerability classified as information disclosure or low risk that cannot be abused. Below you can find some examples of known vulnerabilities or security flaws that fall outside the above regulations. We are aware that these should be resolved, however, Our CVD process involves reporting issues that could be directly abused. For example, a vulnerability for which there is a working exploit or a misconfiguration that makes it possible to circumvent an existing security control.
– Reporting outdated versions of any software without a proof of concept of a working exploit
– Missing TXT record for DMARC
– Everything related to HTTP Security headers (Strict Transport Security, X-Frame Options, X XSS Protection, X Content Type Options & Content Security Policy)
– Fingerprinting (version reference) on public services
– HTTP 404 pages or other non-200 HTTP pages & content spoofing or text injecting on these pages
– Public files or directories containing non-sensitive information
– Clickjacking and flaws that can only be exploited through clickjacking
– No secure or HTTP-only flags on insensitive cookies
– Host header injection
Are there any rewards?
Yes, we may reward you for your investigations. However, we are not obliged to do so. You are not automatically entitled to compensation. The amount of any reward is also not fixed in advance and is determined by us. Whether or not we issue a reward and the amount of any reward depends on a number of factors, including:
- the care with which you carry out your investigations;
- the quality of the information you provide;
- the amount of any loss or damage the information you provide prevents from being incurred.