Vulnerability Disclosure Policy

Because of the desire to improve the performance and security of websites, the Cyber Policy House BV has decided to implement a coordinated vulnerability disclosure policy. This enables outside participants who have good intentions to identify possible vulnerabilities and/or provide the CPH with useful information.

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems are covered under this policy, how to send me vulnerability reports.

We encourage you to contact us to report potential vulnerabilities.

Access to the Cyber Policy House websites’ IT systems within the framework of this policy is granted only to persons whose intention is to improve their security, to inform us of existing vulnerabilities, and in strict compliance with the other conditions set out in this document.

Participants are also authorised to attempt to enter IT data into the IT system concerned, subject to the purposes and conditions of this policy.

Our policy relates to security vulnerabilities that could be abused by third parties or interfere with the proper functioning of our products, services, network or IT systems.

List of the products, services or websites within the scope of this policy:

Systems dependent on third parties are outside the scope of this policy, unless these third parties explicitly agree in advance to these rules.

Mutual obligations of the parties

A. Proportionality

Participants undertake to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to exploit vulnerabilities beyond what is strictly necessary to demonstrate the security issue. Their approach must remain proportionate: if the safety problem has been demonstrated on a small scale, no further action should be taken.

B. Actions that are not allowed

Participants are not permitted to take the following actions:

  • copying or altering data from the IT system or deleting data from that system;
  • changing the IT system parameters;
  • installing malware: viruses, worms, Trojan horses, etc.;
  • Distributed Denial of Service (DDOS) attacks;
  • social engineering attacks;
  • phishing attacks;
  • spamming;
  • stealing passwords or brute force attacks;
  • installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;
  • the intentional interception, storage or receipt of communications not accessible to the public or of electronic communications;
  • the deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an IT system where the participant should reasonably have known it had been obtained unlawfully.

​C. Confidentiality

Under no circumstances may participants share any information collected under this policy without our prior and express consent with third parties or disseminate this information to third parties.

Nor is it permitted to communicate IT data, communication data or personal data to third parties or to distribute this data to third parties.

Our policy is not intended to allow the deliberate disclosure of the content of IT data, communication data or personal data, and such disclosure may only occur by accident in the context of the detection of vulnerabilities.

If participants enlist assistance from a third party to perform their test, they shall ensure that the third party is aware of this policy in advance and agrees to comply with the terms of the policy, including confidentiality, when providing assistance.

D. Bona fide execution

The Cyber Policy House BV undertakes to implement this policy in good faith and not to bring civil or criminal proceedings against any participant who strictly complies with its terms and conditions and who has not intentionally caused harm to the IT systems concerned.

There can be no fraudulent intent, intent to harm, or desire to use or cause harm to the visited system or its data on the part of the participant.

In case participants are in doubt about certain conditions of our policy, they must consult our point of contact in advance and must act in accordance with the written answer they receive.

E. Processing of personal data

A coordinated disclosure policy is not intended to primarily and intentionally process personal data. Unless it is necessary to prove the existence of a vulnerability, participants are not allowed to consult, retrieve or store personal data.

However, participants may, even by accident, get access to personal data that is stored, processed or transmitted in the IT system concerned. It may also be necessary for the participant to temporarily consult, retrieve or use personal data in the context of vulnerability detection. 

In this case, participants must notify the Cyber Policy House’s Data Protection Officer: 

Link to the form: https://forms.gle/2a74utF8oK7xD3iv9 

When processing such data, participants undertake to comply with the legal obligations concerning the protection of personal data [1] and to comply with the terms of this policy.

The processing of personal data for purposes other than the detection of vulnerabilities in the CPH’s systems, equipment or products is not allowed.

Participants may not store any personal data processed for longer than is necessary. During this period, participants must ensure that this information is stored with a level of protection that is proportionate to the risks (preferably encrypted). After being used for the purpose of the policy, this data must be deleted immediately.

Finally, participants must inform us of any loss of personal data as soon as possible after becoming aware of it.

[1] Regulation No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

How to report security vulnerabilities

A. Point of contact

Our preferred submission method is via this form. Submitting personal information in the form is optional. https://forms.gle/zJ6FFdPCc9YrbDi3A 

Applicable law

Belgian law shall apply to any disputes relating to the application of this policy.