At Reasonnet, we consider the security of our systems, network, products, and services to be of utmost importance. In spite of the care and efforts we take for the security of our systems, it can happen that a weak point remains. If you have found a weakness in one of our systems, we would like to hear about it so that we can take appropriate measures as quickly as possible.
Weak points can be discovered in two ways: you accidently come upon something during the normal use of a digital environment, or you explicitly do your best to find a weakness.
Our responsible disclosure policy is not an invitation to actively scan our network, infrastructure or any individual asset to discover weak points. We monitor our network, infrastructure and assets ourselves. This means that there is a high chance that a scan will be detected, and that an investigation will be performed by our Security Team, which could result in unnecessary costs.
You are warmly invited to actively search for vulnerabilities in our products and services in an offline non-production environment and to report your findings to us. Our responsibility towards our customers includes that our intention is not to encourage hacking attempts on the infrastructure they are using. However, we would like to hear from you as rapidly as possible if vulnerabilities are found in our products, so that we can resolve them adequately.
We will be happy to work with you in order to (possibly) improve the protection of our and customer data, as well as the security of our systems.
How to submit vulnerability reports
If you would like to send certain data in an encrypted way e-mail us at email@example.com so we can discuss the various options available.
Please note that we can only process vulnerability reports made in Dutch or English.
How to anonymously report vulnerabilities
You can also anonymously report vulnerabilities. Bear in mind that it will then not be possible to make contact after you report or offer an award to express our gratitude. In order to remain anonymous, you will need to email from a random email address, without including any further contact details.
When you report a vulnerability, you may be performing an illegal act. If you act with integrity, stick to the rules and report the vulnerability to us, you will not be prosecuted. You may also be eligible for a reward.
Searching for a vulnerability or investigation a vulnerability should never lead to:
- Financial, legal, operational or reputational damage to ReasonNet
- Disruption or degradation of our services
- Publication of confidential (customer) data
We ask that you:
- Do not abuse the vulnerability in any way;
- Do not download, copy, change or remove any data;
- Do not add anything to our assets in order to demonstrate the
- Do not make any system changes;
- Do not repeatedly try passwords (brute force) to access systems;
- Do not make use of attacks on physical security of social engineering or hacking tools, such as vulnerability scanners;
- Do not share the vulnerability with others until it has been resolved; and
- Give adequate and detailed information for the problem to be reproduced so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability are sufficient, although additional information may be required for more complex vulnerabilities.
What we promise:
- We will always take your report seriously and investigate any suspicions of a vulnerability, even without “proof”;
- We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date;
- We will handle your report confidentially and we will not share your personal information with third parties without your permission (with the exception of the police and judiciary in the event of prosecution or when information is demanded);
- We will keep you informed about the progress of the solution to the problem;
- In communication about the reported problem we will state your name as the discoverer, if you wish;
- Unfortunately it is not possible to guarantee in advance that there will be no legal action taken against you. We hope to be able to consider each situation individually. We consider ourselves morally obligated to make a statement at the moment that we have the suspicion that either the weakness or data is being abused, or that you have shared knowledge about the weakness with others. You can be rest assured that an accidental discovery in our online environment will not lead to prosecution; and
- We are pleased that people want to help optimizing our systems and data protection. As a token of appreciation, we offer a reward for every report of a security problem that is not known to us. We determine the value of the reward on the basis of the seriousness of the breach and the quality of the report.
We strive to resolve all problems as rapidly as possible, to keep all involved parties informed, and we would like to be involved in any publication about the problem once it is resolved.
Version 1.0 - March 2015