At Schouten Zekerheid , the security of our systems is very important to us. Despite the fact that we take great care with security, it may happen that a weak spot is discovered. If that is the case, we would like to hear about it as soon as possible so that we can take measures quickly.
Weaknesses can be discovered in two ways: you accidentally run into something during normal use of a digital environment, or you make an explicit effort to find a weakness. Our responsible disclosure policy is not an invitation to extensively actively scan our corporate network for vulnerabilities. We monitor our network ourselves. This increases the likelihood that a scan will be picked up, that we will investigate, and that unnecessary costs may be incurred. We would like to work with you to better protect our relationships and our systems.
We ask you:
- Email your findings as soon as possible to security-alert@schoutenzekerheid.nl.
- Do not abuse the vulnerability by, for example, downloading, changing or deleting data. We always take your report seriously and will investigate any suspected vulnerability, even without "proof."
- Do not share the problem and associated data with others and delete it immediately after we fix the problem.
- Do not use physical security attacks, social engineering or hacking tools, such as vulnerability scanners.
- Provide us with enough information to reproduce the problem so that we can fix it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be needed for more complex vulnerabilities.
- Cooperate with requests we make of you under legal obligations and regulatory requirements. Examples include a request to destroy (personal) data and to provide information.
What we promise:
- We will respond to your report within five business days with our assessment of the report and an expected date for resolution.
- We will treat your report confidentially and will not share your personal information with third parties without your permission. An exception to this is police and judicial authorities, in case of a report or if necessary to comply with a legal obligation.
- We will keep you informed about the progress of solving the problem.
- In notifications about the reported problem, we will, if you wish, mention your name as the discoverer.
- We consider ourselves morally obliged to report the moment we suspect that the vulnerability or data is being misused, that you have shared knowledge about the vulnerability with others or that you are not complying with agreements. Unfortunately, it is not possible to rule out legal action against you in advance. You can rest assured that an accidental discovery in our online environment will not lead to charges.
In conclusion
We strive to resolve all problems as quickly as possible, keep all parties involved informed, and we are happy to be involved in any publication about the problem after it is resolved. In the event of a dispute regarding the agreements in this policy, we will always strive to resolve it among ourselves. If we cannot reach a solution, the dispute will be submitted to the competent court in Rotterdam and Dutch law will apply.
With thanks to Floor Terra for his sample text on responsibledisclosure.nl
