Responsible Disclosure Policy

Reporting a security breach
We do all we can to keep our systems secure. We are well aware that security is a continuous process, and new threats or weaknesses may appear at any time. It’s possible that you’ll spot a weakness we’ve missed. If you do, please let us know, so that we can do something about it quickly. Reporting problems you come across is known as responsible disclosure.

 

Security issues
Should you encounter a security issue with our services, then please let us know. A security issue means any issue or weakness that may be used to abuse, manipulate or make inaccessible data in our services. This does not only include technical security but also procedural weaknesses.

We hereby permit you to proactively search for suspected security issues in our software or infrastructure. However, we do not permit actions that cause damage to us our our customers, such as by erasing data or disrupting our operations. Further, publishing personal data obtained through such search is not permitted.

 

How to report a weakness?
Please report any issues you have found by e-mail to cert@connectis.nl.
In any case please include:

The urgency of the issue

  • A brief description of the issue
  • Screenshots or other information that illustrate the problem in more details
  • Any steps needed to reproduce the problem
  • Your contact details, so that we can get in touch if we need to know more. (a name and e-mail address or phone number, using a pseudonym is permitted)
  • Whether you want to stay updated on our progress in solving the issue

 

What we will do

  • We will respond within three Dutch working days to your report
  • Your report is confidential and your identity will not be shared with third parties (unless mandated by law). We consider ourselves morally obligated to report you if we suspect the weakness or data has been abused, or that you have shared knowledge of the weakness with others.
  • Further we will keep you informed about the progress of the solution if you have indicated that you would like to stay updated.

If you stick to the above rules, we will not file criminal charges or initiate legal proceedings against you.

 

Reward
As thanks for your help, we offer a reward for every report of a security problem that is not known to us. We determine the value of the reward on the basis of the seriousness of the breach and the quality of the report.