Responsible Disclosure

We at 9292 emphasize the safety of our systems. In spite of our care for our systems’ security, a weak spot may occur anyway.

If you have found a weak spot in one of our systems, we would like to hear this, so we can take measures as soon as possible. We want to cooperate with you to be able to protect our clients and our systems better.

We ask you:

  • To mail your findings and your contact details to privacyofficer@9292.nl. Put your findings in a document protected with a password; the service desk will ask you to send your password by text. 
  • To refrain from abusing the problem by downloading more data than is necessary to show the leak or consult, remove or change data of others, 
  • To refrain from sharing the problem with others until it has been solved and to delete all confidential data obtained via the leak immediately after sealing of the leak, 
  • To refrain from using attacks on physical protection, social engineering, distributed denial of service, spam or applications of others, and 
  • Provide sufficient information to reproduce the problem so we can solve it as soon as possible. Usually the IP address or URL of the affected system and a description of its vulnerability suffices, but in case of more complex vulnerabilities more may be required.

What we promise:

  • We will react within 20 days of your notification with our assessment of the notification. 
  • If you have adhered to the conditions mentioned above, we will not take legal steps against you regarding this notification. 
  • We will treat your notification confidentially and will not share your personal details with others without your permission, unless this is necessary to comply with our legal obligation. Notifying under an alias is possible. 
  • In reporting the notified problem we will mention your name as the discoverer if you wish.

Publication:

  • If notifier and 9292 agree to make the vulnerability public, a notifier will not make it public until all organizations involved have been well informed and indicate that the vulnerability has been solved, in conformity with the agreements made. 
  • If a vulnerability cannot be solved or is difficult to solve, or if high costs are involved, notifier and 9292 can agree to refrain from making the vulnerability public.

 

Last update: 15-10-2018