Coordinated Vulnerability Disclosure

Introduction:

At Cyber Connects B.V., we place a paramount emphasis on the security of our systems, our data, and most notably, the information belonging to our esteemed cliënts. Despite our unwavering commitment to fortifying our systems, vulnerabilities may still emerge.

How to Report a Vulnerability:

We invite you to report any discovered vulnerabilities within our systems by emailing your findings to info@cyberconnects.nl. Please ensure that your report includes sufficient information for us to reproduce the issue swiftly. Typically, the IP address or URL of the affected system, along with a description of the vulnerability, should suffice. However, more intricate vulnerabilities may necessitate additional details.

Expectations from You:

We kindly request that you adhere to the following guidelines:

  • Maintain confidentiality and refrain from sharing information regarding the security issue until it has been resolved.
  • Demonstrate responsible handling of your knowledge about the security problem, only engaging in actions essential to showcase the issue.
  • Avoid any actions that may result in data alteration or destruction, and refrain from exploiting the situation.
  • Please provide us with your contact information, enabling us to collaborate securely in resolving the issue.

 

What You Can Expect from Us:

Upon submission of your report, expect to receive confirmation from us within a maximum of 5 days. All reports will be treated with the utmost confidentiality. In general, we do not disclose your report to third parties, unless necessary for issue resolution or mandated by legal requirements. In certain instances, we may reach out to you for additional information to facilitate our investigation. We will make every effort to keep you informed about the progress and status of your report whenever possible.

Additionally, in select cases, we may express our appreciation by providing a token of gratitude for your contribution. If such a scenario applies to you, we will initiate contact.

Out-of-Scope Vulnerabilities:

When reporting a vulnerability, we kindly ask that you consider the following types of vulnerabilities as “out of scope” for our program:

  • Clickjacking on pages that lack sensitive actions and do not have a documented series of clicks capable of exploiting a sensitive functionality.
  • CSRF issues related to non-significant actions.
  • CORS misconfigurations when the Credentials header is not set.
  • Missing HTTP security headers that do not directly lead to vulnerabilities, including:
    • Content-Security-Policy
    • Strict Transport Security
    • X-Content-Type-Options
    • X-XSS-Protection
    • X-Frame-Options (unless a well-defined risk is evident)
    • X-Download-Options
    • X-XSS-Protection
  • Best practices absent in SSL/TLS configuration.
  • Missing best practices in Content Security Policy.
  • Neglect of email best practices (e.g., invalid, incomplete, or missing SPF/DKIM/DMARC records).
  • Absence of cookie flags on cookies that do not store session or other sensitive information.
  • Information disclosure, including default exposed config files with no sensitive data.
  • Open redirect vulnerabilities that do not exhibit additional security impact.
  • Content spoofing and text injection issues without demonstrating an attack vector or the ability to modify HTML/CSS.
  • Host header injection issues lacking demonstrable impact.
  • Vulnerabilities reported shortly after their public release.
  • Vulnerability reports generated by automated tools without prior validation.
  • Denial of Service and Social Engineering attacks.
  • Attacks necessitating MITM (Man-in-the-Middle) or physical access to a user’s device. 

We want to emphasize that your contributions to our security efforts are invaluable. Your vigilance and cooperation aid us in fortifying our systems, ensuring the safety of our data, and protecting the information of our cherished guests. By reporting vulnerabilities, you become an essential part of our commitment to excellence in cybersecurity.

Rest assured, your dedication to security is greatly appreciated. Your information will be handled with the utmost care and confidentiality. Together, we can make our digital environment safer and more resilient.

Thank you for being a part of our collective security endeavor. We look forward to working together to maintain the highest standards of protection.