Responsible disclosure

Onsweb and its partners consider the safety of their systems to be very important. Despite all the care for the security of the systems, a vulnerability can occur that is not yet known. If you find a vulnerability in one of our systems, please let us know. You can report it to us. We can then take measures as quickly as possible. We are happy to work with you to better protect our users and systems.
Dutch version

No invitation to active scanning

Our so called responsible disclosure policy is not an invitation to actively scan our network or our systems for vulnerabilities. We also monitor our company network ourselves. As a result, there is a good chance that we will pick up your scan, that our security team will conduct research, which may lead to unnecessary costs.

Prosecution

It is possible that during your investigation you perform actions that are punishable under criminal law. If you have complied with the following conditions, we will not take any legal action against you. However, the Public Prosecutor’s Office always has the right to decide whether or not to prosecute you. Read the policy letter from the Public Prosecution Service (pdf) and this link on the website of the NCSC (pdf). 

What do we ask?

  • Please email your findings to security@onsweb.nl. Encrypt your findings to prevent the information from falling into the wrong hands. 
  • Do not abuse the vulnerability by, for example: 
    • Downloading more data than necessary to demonstrate the leak
    • Change or delete the data 
  • Be extra cautious about personal data. 
  • Do not share the vulnerability with others until it is resolved. 
  • Do not use attacks on physical security or third-party applications, social engineering, (distributed) denial-of-service, malware, or spam. 
  • Provide sufficient information to reproduce the vulnerability so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability and the actions performed are sufficient, but more complex vulnerabilities may require more information. 

Please, in any case, avoid the following actions

  1. placing malware.
  2. copying, modifying or deleting data in a system (an alternative for this is creating a directory listing of a system).
  3. making changes tot the system.
  4. gaining access to the system repeatedly or sharing access with others.
  5. making use of so-called “bruteforcing” to access our systems.
  6. use denial-of-service or social engineering.

Our promise to you

  • We respond within 3 working days with our assessment of your findings and the expected date for a solution. 
  • We will treat your email and findings confidentially and will not share your personal information with third parties without your consent, unless this is necessary to comply with a legal obligation. 
  • We keep you informed of the progress of solving the vulnerability. 
  • You can report anonymously or under a pseudonym. In that case however, we can not contact you about, for example, the follow-up steps, progress of closing the leak, publication or any reward for the report.  
  • In reporting on the reported vulnerability we will, if you wish, mention your name as the discoverer of the vulnerability.
  • We strive to solve all problems as quickly as possible and keep all parties involved informed. We are happy to be involved in a possible publication about the vulnerability after it has been resolved.
  • We can give you a reward as thanks for your help and research, but are not obliged to do so. The form of this reward is not fixed in advance and is set by us on a case-by-case basis. Whether we give you a reward and the way in which that happens depends on the accuracy of your research, the quality of the report and the severity of the leak. We strive for a minimum reward of 50 to 350 euro’s in the form of vouchers or a donation to charity.

We are happy to work with you to better protect our users and systems!