Coordinated Vulnerability Disclosure
Collaborate with us
If you nevertheless notice a weak spot in one of our IT systems, we would appreciate it if you would report it to us first. Publicising weak spots in our IT systems without having spoken to us about them first may have serious consequences, however good your intentions are.
Reporting weak spots
Please fill out the form at the bottom of this page.
What will happen to your report?
Someone will contact you within 1 working day to notify you that the report has been received.
A team of security experts will investigate your report in the meantime and someone will contact you within 3 working days. This may be in relation to the weak spots you have identified, how you found these and any subsequent steps.
Don’t be afraid. Your personal data will only be used to undertake further action based on the information you provide in your report. In principle, we will not share your personal data with third parties without your permission.
It’s important that you stick to the rules
During your investigations, you may carry out actions that are punishable by law. As long as you keep to the rules for reporting weak spots in our IT systems, we will not report you to the police or claim for losses or damage.
We cannot guarantee that you will never be prosecuted if you commit a punishable offence during the course of your investigations, even if we do not report such an offence. The public prosecutor always has the final say as to whether or not you will be prosecuted. We have no say in this.
- Be responsible and careful.
- Only use methods that are strictly necessary for finding or pointing out the vulnerabilities.
- Use the weaknesses you have identified only for your own investigations and never for any other purpose.
- Do not use social engineering, brute-force attacks or lateral movement to gain access to a system. Denial of service attacks are also not welcome.
- Do not install a backdoor in a system, even with the intention of demonstrating the vulnerability. A backdoor renders a system even more insecure.
- Do not change or delete any details in the system.
- Never copy more data than necessary. If a single record is sufficient for your investigations, do not copy any more.
- Do not penetrate a system more often than necessary.
- Last but not least, do not share the access you gained with others.
Are there any rewards?
Yes, we may reward you for your investigations. However, we are not obliged to do so. You are not automatically entitled to compensation. The amount of any reward is also not fixed in advance and is determined by us. Whether or not we issue a reward and the amount of any reward depends on a number of factors, including:
- the care with which you carry out your investigations;
- the quality of the information you provide;
- the amount of any loss or damage the information you provide prevents from being incurred.