Vulnerability Disclosure Policy
Report vulnerability
Have you spotted an issue around security or privacy in PQR services? Let us know! We are open to reports from anyone, including customers, security experts and developers. Such reports come under the umbrella of Coordinated Vulnerability Disclosure (CVD). To report a vulnerability, send an email to disclosure@pqr.com with the following info:
Service
The specific services you think are affected
Behaviour
A description of the behaviour you noticed and what you actually expected
Description
Try to be as clear and detailed as possible about the problem you found. Provide enough info to reproduce the issue so that we can fix it as soon as possible. Complicated vulnerabilities may require additional explanations. You can think of step-by-step instructions, screenshots or video demonstrations. Feel free to provide supporting material (Proof of Concept code, tool output, etc.) that can help us understand the nature and severity of the vulnerability.
Contact
Your e-mail address or telephone number so that we can contact you if we have any questions. We prefer communication via e-mail.
Offering a solution is much appreciated but not mandatory. Rest assured that your reports will be reviewed by specialists. We only accept reports in English or Dutch.
In Scope
Have you discovered a security flaw in a PQR ICT system or service? Please let us know before informing the outside world so that we can take action first. This is called 'responsible reporting' or 'responsible disclosure'.
Examples of eligible vulnerabilities include:
- Remote Code Execution
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL-injection
- Encryption problems
- Bypassing authentication and unauthorised access to data
Out of scope
HTTP-related issues
- HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages
- Disclosure of fingerprint release banner on general/public services
- OPTIONS HTTP method enabled
- Anything related to HTTP security headers, e.g.: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy.
SSL/TLS and email security issues
- SSL configuration issues, e.g.: SSL forward secrecy not enabled, weak / insecure encryption suites.
- SPF, DKIM, DMARC issues
- DNSSEC missing
Information leakage and file disclosure
- Disclosure of known public files or directories or non-sensitive information (e.g. robots.txt)
- Information leakage in metadata
Click and user interface related issues
- Clickjacking and issues that can only be exploited by clickjacking
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
Injection attacks
- Host header injection
Older software versions and brute force attempts
- Reporting older versions of software without proof of concept or working exploit
- Listing username/email by brute force attempts, for example: via Login Page error message, Forgot password error message.
This exclusion list is derived from a list used by SURF's CERT.
What we ask you to do
- Report vulnerability as soon as possible after discovery
- Handle vulnerability knowledge responsibly
- Be extra careful with personal and confidential data
- Work with us to ensure the vulnerability is fixed in a safe and effective manner
What we ask you not to do
- Misuse the vulnerability found by:
- copy or download data (unless necessary to prove your finding)
- change (edit) or delete (delete) data and services
- repeatedly accessing or sharing access to the service with others
- cause damage to or unavailability of our services
- Sharing the vulnerability with others until it is resolved
- Conducting brute-force attacks, denial-of-service (DoS) attacks, spam attacks or social engineering
- Conduct physical attacks on PQR employees, offices and services
- Introducing malware or backdoors into services
What we promise you
-
Working together responsibly. We are committed to resolving all discovered vulnerabilities as soon as possible and keeping everyone informed. Our PQR security experts will review your report and respond within 5 working days with an assessment and estimated resolution date. We will keep you updated on progress and contact you if we need more info. We aim to resolve vulnerabilities within a maximum of 60 days and will consult with you about publishing details and fixes.
-
Confidentiality & privacy. We will treat your report with the utmost care and will not share your data with third parties without your consent, unless required by law. If you wish, we may mention your name as a discoverer, provided you give us permission to do so.
-
No legal action. If you comply with the terms of our CVD process, we will not take any legal action against you. However, the public prosecutor always retains the right to decide on prosecution.
-
Rewards. To encourage reporting vulnerabilities to PQR, we may give you a reward for your investigation, but we are under no obligation to do so. You are therefore not automatically entitled to compensation. The form of this reward is not fixed in advance and is determined by us on a case-by-case basis. Whether and in what form a reward is given depends on the severity of the vulnerability, the care taken in your investigation and the quality of the report.