Vulnerability Disclosure Policy
PQR is fully committed to security and privacy and dives deep into all reported vulnerabilities. While we work hard every day to protect our services, vulnerabilities may still surface. On this page you will find our approach to dealing with potential vulnerabilities in all aspects of our services.
Reporting a vulnerability
Have you spotted an issue around security or privacy in PQR services? Let us know! We are open to reports from anyone, including customers, security experts and developers. This kind of report is known as a Coordinated Vulnerability Disclosure (CVD). To report a vulnerability please send an email to disclosure@pqr.com that includes:
Service
The specific services which you believe are affected
Behavior
A description of the behavior you observed as well as the behavior that you expected
Description
Try to be as explicitly and detailed as possible about the problem you found. Provide enough information to reproduce the issue so that we can resolve it as soon as possible. Complex vulnerabilities may require additional explanation. For this you can use step-by-step instructions, screenshots or video demonstrations. Feel free to provide supporting material (Proof of Concept code, tool output, etc.) that can help us understand the nature and severity of the vulnerability.
Contact details
Your email address or telephone number to enable us to contact you if we have any questions. We prefer to communicate via email.
Offering a solution is highly encouraged but not required. Be assured that your notifications will be received by specialists. We only accept reports that are sent in English or Dutch.
In Scope
Did you discover a security flaw in a PQR ICT system or service? Please let us know before informing the outside world so that we can take action first. This is called 'responsible reporting' or 'responsible disclosure'.
Examples of qualifying vulnerabilities are:
- Remote Code Execution
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL-injection
- Encryption vulnerabilities
- Authentication bypasses and unauthorized data access
Out of scope
HTTP related issues
• HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages
• Fingerprint version banner disclosure on common/public services
• OPTIONS HTTP method enabled
• Anything related to HTTP security headers, e.g.: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy.
SSL/TLS and email security issues
• SSL Configuration Issues, e.g.: SSL forward secrecy not enabled, weak / insecure cipher suites
• SPF, DKIM, DMARC issues
• Missing DNSSEC 
Information leakage and disclosure of files 
• Disclosure of known public files or directories or non-sensitive information, (e.g. robots.txt)
• Information leakage in metadata
Click and UI related issues
• Clickjacking and issues only exploitable through clickjacking
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies
Injection attacks
• Host header injection
Older software versions and brute force attempts
• Reporting older versions of any software without proof of concept or working exploit
• Username/email enumeration through brute force attempts, e.g.: via Login Page error message, Forgot Password error message.
This list of exclusions is derived from a list used by the CERT of SURF.
We ask you to
- Report the vulnerability as soon as possible after discovery
- Handle knowledge of the vulnerability responsibly
- Take extra care with personal and confidential data
- Work with us to ensure the vulnerability is fixed in a safe and effective manner
We ask you not to
- Misuse the vulnerability found by:
 - copying or downloading data (unless necessary to prove your finding)
 - altering (editing) or removing (deleting) data and services
 - repeatedly accessing or sharing access to the service with others
 - causing damage to or unavailability of our services
- Share the vulnerability with others until it is resolved
- Perform brute-force attacks, denial-of-service (DoS) attacks, spam attacks or social engineering
- Conduct physical attacks on PQR employees, offices and services
- Introduce malware or backdoors into services
What we promise
- Responsible collaboration. We are committed to resolving all discovered vulnerabilities as soon as possible and keeping everyone informed. Our PQR security experts will review your report and respond within 5 working days with an assessment and estimated resolution date. We will keep you updated on progress and contact you if we need more info. We aim to resolve vulnerabilities within a maximum of 60 days and will consult with you about publishing details and solutions.
- Confidentiality & privacy. We treat your report with the utmost care and do not share your data with third parties without your consent, unless required by law. If you wish, we may mention your name as the discoverer, provided you give us permission to do so.
- No legal action. If you comply with the terms of our CVD process, we will not take any legal action against you. However, the public prosecutor always retains the right to decide on prosecution.
- Rewards. To encourage reporting vulnerabilities to PQR, we may give you a reward for your investigation, but we are under no obligation to do so. You are therefore not automatically entitled to a reimbursement. The form of this reward is not fixed in advance and is determined by us on a case-by-case basis. Whether and in what form a reward is given depends on the severity of the vulnerability, the care taken in your investigation and the quality of the report.