The HSD Foundation’s Responsible Disclosure Policy, in addition to the Guideline Responsible Disclosure published by the NCSC.
We of course take the security of our websites and systems very seriously. Despite our efforts to secure our websites and systems, there could still be weak spots.
If you have found a weakness in ‘Security Insight’, we would like to hear about it so we can take action as soon as possible. We would like to cooperate with you in order to better protect our partners and systems.
We would like to ask you to:
- Email your findings to Evertjan Jansenschoonhoven and Joris den Bruinen.
- Not misuse your findings by, for example downloading more data than necessary or looking into, deleting and modifying data from third parties.
- Not share information about the issue with others until it is solved and erase all confidential data obtained through the leak directly afterwards.
- Not use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
- Provide sufficient information to reproduce the problem so we can fix it as soon as possible. In most cases, providing the IP-address or URL of the affected system together with a description of the problem would be sufficient, but more detailed information might be necessary for more complex problems.
What we promise:
- We will respond to your report with an assessment of the problem and expected date for a solution within 5 workdays.
- If you have complied with the above conditions, we will not take legal actions against you.
- We will treat your report confidentially and your personal details will not be shared with third parties without your permission unless this is necessary to meet our legal obligations. Reporting using a pseudonym is possible as well.
- We will keep you informed about the progress of solving the problem.
- If you wish, we will include your name as discoverer in our communications about the problem, we do this via a Wall of Fame.
- As a non-profit organisation, we cannot pay a financial reward for a notification. However, as a reward, we could offer you a podium and attention and/or we could get you into contact with members of our network of security organisations.
We strive to resolve any problems as quickly as possible and we like to be involved in a possible publication on the issue after it is resolved.
To view who have helped us in the past, a Wall of Fame has been set up to showcase the individuals who aid us in identifying vulnerabilities on our website.
We would like to thank Floor Terra for making the example available, on which this disclosure is based.