Reporting a security breach

How to report a problem:

  • Please make a report as soon as possible after discovering a vulnerability. Send your findings through our upload portal If you encounter any issues, contact us at: +31588458000.
  • Provide us with as much information as possible so that we can reproduce the issue. Include a detailed description of the steps you took, IP addresses used, logs, screenshots, etc. This will assist us in resolving the problem as quickly as possible.
  • Kindly provide us with your email address and phone number so that we can contact you if we have further questions and to express our gratitude for your assistance.

What to keep in mind:

  • Do not share information about the vulnerability with third parties.
  • Destroy any data you may have obtained.
  • Do not go beyond what is necessary to demonstrate the problem.
  • Do not exploit the vulnerability. If this occurs, we will report it to the authorities.

What is not allowed:

  • Placing malware.
  • Making copies, modifying, or deleting data.
  • Making alterations to our systems.
  • Accessing our systems multiple times or sharing access with others.
  • Using brute-force techniques to gain access to our systems.
  • Employing (D)DoS or social engineering techniques.

What doesn’t need to be reported:

  • Physical attacks.
  • Non-reproducible situations.
  • Exploits that cannot be validated with a second method/tool.
  • User errors.
  • Simple lists, version numbers of OS, services, and ports.
  • Publicly available files that should be publicly accessible.
  • Missing HTTP-only flag on cookies that do not contain sensitive information.
  • Incomplete or missing SPF, DKIM, or DMARC records.
  • Services running at third parties (refer to their own responsible disclosure page).
  • Email addresses found in a data breach at a third party.
  • Vulnerabilities for which patches have been released in the last 2 weeks.
  • URL redirects (to a valid page).

Known issues:

If the problems are already known to us and being addressed or if we have designated them as accepted risks, the report will not be further processed. Our staff will notify you in such cases.

What you can expect from us:

  • We will send you a response within 1 business day to confirm receipt of your report.
  • Within 5 business days, we will provide you with a detailed response and, if possible, an estimated resolution date.
  • We will treat your report confidentially and keep you informed of the progress.
  • We will not pursue any legal action related to the report, provided you adhere to the guidelines mentioned above