Responsible Disclosure

We at 9292 emphasize the safety of our systems. In spite of our care for our systems’ security, a weak spot may occur anyway.

If you have found a weak spot in one of our systems, we would like to hear this, so we can take measures as soon as possible. We want to cooperate with you to be able to protect our clients and our systems better.

We ask you:

  • To mail your findings and your contact details to Put your findings in a document protected with a password; the service desk will ask you to send your password by text. 
  • To refrain from abusing the problem by downloading more data than is necessary to show the leak or consult, remove or change data of others, 
  • To refrain from sharing the problem with others until it has been solved and to delete all confidential data obtained via the leak immediately after sealing of the leak, 
  • To refrain from using attacks on physical protection, social engineering, distributed denial of service, spam or applications of others, and 
  • Provide sufficient information to reproduce the problem so we can solve it as soon as possible. Usually the IP address or URL of the affected system and a description of its vulnerability suffices, but in case of more complex vulnerabilities more may be required.

What we promise:

  • We will react within 3 days of your notification with our assessment of the notification and an expected date for a solution. 
  • If you have adhered to the conditions mentioned above, we will not take legal steps against you regarding this notification. 
  • We will treat your notification confidentially and will not share your personal details with others without your permission, unless this is necessary to comply with our legal obligation. Notifying under an alias is possible. 
  • We will keep you informed of the progress of solving the problem. 
  • In reporting the notified problem we will mention your name as the discoverer if you wish, and 
  • As a token of gratitude we offer a reward for each notification of a security problem unknown to us. The size of the reward will be determined as to the seriousness of the leak and the quality of the notification, with a voucher of € 50 as a minimum. 


  • If notifier and 9292 agree to make the vulnerability public, a notifier will not make it public until all organizations involved have been well informed and indicate that the vulnerability has been solved, in conformity with the agreements made. 
  • If a vulnerability cannot be solved or is difficult to solve, or if high costs are involved, notifier and 9292 can agree to refrain from making the vulnerability public.