Coordinated Vulnerability Disclosure Policy

We value the security of our systems and the trust of our users. If you have discovered a potential security vulnerability in our systems, we encourage you to report it to us as soon as possible. This Coordinated Vulnerability Disclosure (CVD) Policy outlines how you can report vulnerabilities to us, and what you can expect in return.

Reporting a Vulnerability

If you discover a vulnerability, please report it by filling out the form on this page.

Include the following information in your report:

A detailed description of the vulnerability.
Steps to reproduce the issue.
Any relevant logs, screenshots, or proof-of-concept code.
Your contact information (email address)

Information regarding the processing of your personal data:
We ask for your name and email address to be able to communicate with you regarding this report. If you wish to be eligible for a reward, we will also require your address in order to send the reward. Therefore, we may ask for your address details after your report is processed. Your data will not be shared with third parties unless required by law or a court order.

What to Expect

We will:

Acknowledge receipt of your report within 5 business days.
Provide regular updates on the status of the vulnerability.
Inform you when the issue has been resolved.
Work with you to coordinate public disclosure.

We aim to resolve and disclose confirmed vulnerabilities within 90 days, depending on their complexity and impact.

Scope

This policy applies to:

Publicly accessible domains and systems owned or operated by Het Security Office.
Web applications developed and maintained by Het Security Office.

This policy does not authorize:

Physical testing (e.g., office access, social engineering, tailgating).
Denial-of-service or resource exhaustion attacks.

Out of Scope

Vulnerabilities that are out of scope include, but are not limited to:

Reports of outdated software without a proven exploit.
SPF, DKIM, or DMARC misconfigurations without demonstrable impact.
Clickjacking on pages with no sensitive actions.
Missing security headers with no impact.
Use of known user credentials from data breaches not caused by Het Security Office.

Legal Considerations

We will not take legal action against individuals who:

Report vulnerabilities in good faith.
Respect the terms of this policy.
Avoid compromising personal data, privacy, or availability of services.

We appreciate your help in keeping our systems secure.

Recognition

We may offer public acknowledgment for responsibly disclosed vulnerabilities, with your consent. To qualify, your report must be the first to alert us to the issue and must be actionable.

Thank you for helping us protect our systems and users.

Please use this form below to report a potential security vulnerability in our systems.

Your Name:

Your Email:

Vulnerability Title:

Affected System/Component:

Vulnerability Description:

Impact & Risk:

Supporting Evidence (optional): Allowed file types: png, jpeg, jpg.

Additional Comments:

I understand that this report will be used for Coordinated Vulnerability Disclosure purposes and agree to refrain from public disclosure until resolved.