Responsible Disclosure Policy
At Bestel-thuis.nl, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems. This Responsible Disclosure Policy describes what we ask from you and how we can respond accordingly.
We can adjust this Responsible Disclosure Policy whenever we feel the need to, this is why we advise u to read this page thoroughly before sending us a message.
How do you make a report?
- We would appreciate it if u send us a detailed email about any leaks or weaknesses (vulnerabilities) as soon as it is discovered to [email protected]
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- We ask you to provide your name, email address and telephone number. However, this is not necessary. You can also report a pseudonym.
What are the rules?
As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. The reward will be a voucher code which can be used to order from our company.
We apply the following rules:
- The vulnerabilities are found on www.bestel-thuis.nl and any systems associated with it.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
- All the data obtained in the course of discovering the vulnerability should be erased immediately after reporting.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
- Identifying vulnerabilities may never lead to damage Bestel-thuis.nl, including reputation damage and disruption of our services.
- When you find vulnerabilities and report them to us, it may be that, even if you have complied with these rules, you have committed acts which are criminal or otherwise unlawful. If you act with integrity, follow our rules and report the vulnerability directly to us, we will not take legal action. However, we are not responsible for your actions, and cannot exclude this as a criminal conduct or otherwise in violation of any rule or requirement.
- All messages without a clear report with evidence of possible exploitation
- Our policy regarding the presence or absence of SPF / DKIM / DMARC records
- Cross Site Request Forgery (CSRF) vulnerabilities static pages (only after logging in to pages)
- Redirection of HTTP to HTTPS
- HTML doesnâ Specify charset
- HTML uses unrecognized charset
- Cookie without HttpOnly flag
- Do not use HTTP Strict Transport Security (HSTS)
- ClickJacking or absence of X-Frame-Options on not login pages
- User enumeration
- Possibly outdated server or application versions (external parties) without evidence that these versions are vulnerable and proof of operation.
- Reports of unsafe SSL / TLS protocols and other misconfigurations
- Generic vulnerabilities related to software or protocols that do not fall under the control of Bestel-thuis.nl
- Distributed Denial of Service (DDoS) attacks
- Spam or Social Engineering techniques
- Reports regular scans as port scanners
What does Bestel-thuis.nl do with a report?
- We will respond to your report within 3 work days with our evaluation of the report and an expected resolution date, if possible.
- We treat your report confidentially and it will not be shared without your explicit permission, unless it is necessary to fulfill a legal obligation. We will not retain your personal information for longer than is necessary to resolve the vulnerability.
- Where this is appropriate and possible, we will keep you informed of the progress of solving the problem.
It may happen that log files of Bestel-thuis.nl information about vulnerabilities has to be handed out towards supervisor and / or the people involved, to which the data relates. If you wish, we will put your name or pseudonym as discoverer of the coverage of the reported vulnerability.
You may not disclose any information about leaks or vulnerabilities and our possible solutions without our written consent.
This Responsible Disclosure Policy was published on December 12 2015.