Responsible Disclosure
Vulnerability
The eConnect platform has a high-quality security level based on continuous improvement and is constantly monitored. Do you discover a vulnerability in the eConnect platform and/or in one of our websites despite our measures? Let us know immediately! We will then be able to take appropriate measures quickly and appropriately. By reporting the vulnerability, your report will be dealt with in accordance with the agreements below and you, as reporter, declare that you agree with these agreements.
For you:
- Please report the vulnerability as soon as possible after its discovery.
- Mail your findings to disclosure@eConnect.eu.
- Do not use screen recordings or pdf files, please use plaintext and screenshots.
- Provide enough information so that we can reproduce the problem and resolve it as soon as possible.
- Provide contact details so that we can get in touch with you to work together to ensure a secure outcome. At least be sure to include an email address and phone number.
- Do not exploit the vulnerability or make changes to the system.
- Never share access to the system with others.
- In certain cases (e.g. if there is a (not yet known) vulnerability that is likely to be present in more places or if it concerns a vulnerability in the software of one of our suppliers) information about the vulnerability may be made public. This is always done in consultation and in accordance with the agreements made in this context.
- You always remain responsible for your own actions!
For us:
- If you comply with all the conditions above, we will not take legal action against you. If you are found to have breached any of the above conditions, we may still decide to take legal action against you.
- We have reserved capacity to respond adequately to reports received via disclosure@eConnect.eu.
- We always treat reports confidentially.
- We will send you an (automatic) confirmation of receipt within 1 working day. You will then receive a more substantive response to your report with an (initial) assessment of the report and possibly an expected date for a solution.
- We will solve the security problem you reported as soon as possible. In doing so, we aim to keep you well informed of progress and never take longer than 30 days to resolve the problem. We may be dependent on suppliers.
- We will keep you informed of the progress of the process.