Coordinated Vulnerability Disclosure Policy
Our reliance on digital infrastructure is only increasing, and this applies to us as well. We believe that all service providers (including ourselves) must prioritize the security of their digital infrastructure. We understand that vulnerabilities may exist in our systems, despite our best intentions and care. If you discover a weakness in one of our systems, we would appreciate it if you let us know so we can resolve the issue.
What we expect from you:
- When investigating a vulnerability in one of our systems, please keep the proportionality of the attack in mind. It is not necessary to demonstrate, for example, that a massive DDoS attack could bring down our website ˗ we are aware of that possibility.
- Proportionality also applies when demonstrating the vulnerability itself. Do not view or alter more data than strictly necessary to demonstrate the issue. For instance, if you can modify our homepage, add a non-controversial word instead of taking over the entire page. If you gain access to a database, a list of tables or the first row from one of those tables is sufficient.
- Report a vulnerability as soon as possible by emailing webteam@panteia.nl. Provide enough information for us to reproduce and investigate the issue.
- Do not share knowledge of the vulnerability with others until we have resolved it, and a reasonable timeframe for doing so has not yet passed.
- Delete any confidential data you obtained during your investigation immediately after we have resolved the vulnerability.
What you can expect from us:
- We will respond within seven days with a reply to your report, including the expected timeline for a fix. We will also keep you informed of our progress.
- We will resolve the vulnerability as quickly as possible. Here, also, proportionality plays an important role: the timeframe will depend on various factors, such as the severity and complexity of the issue.
- If you meet the above expectations, we will not take legal action against you for your report.
- We believe in giving you the credit you deserve and wish. If you agree, we will mention your name in any publication related to the vulnerability.
- As a thank you for helping us better secure our systems, we are happy to reward you for reporting previously unknown vulnerabilities. The reward will depend on the severity of the issue and the quality of your report.
- If the vulnerability you discover is in third-party software that we use and falls under a bug bounty program, any applicable bounty will go to you.
Exclusions
To save everyone's time, we ask that you do not report trivial or non-exploitable vulnerabilities. We are already aware of certain vulnerabilities, and in most cases, these are accepted risks. A (non-exhaustive) list of vulnerabilities we prefer not to receive reports about includes:
- HTTP security headers.
- SPF, DKIM, and DMARC issues.
- Publicly accessible files and folders with non-sensitive information (e.g., robots.txt).
- HTTP 404 status codes/pages or other non-200 HTTP status codes/pages.
- Outdated JavaScript libraries, such as jQuery.
Self-assessments
We strive to be a reliable and secure partner. This is one of our top priorities. Your data is safe with us. This means we comply with high standards and regularly assess our security levels. This includes the application of the following online tools:
- Hardenize.com
- Internet.nl
- SSLLabs.com