At MijnPartnerGroep, we consider the security of our systems, our network and our products very important. We continuously work on the security and optimization of our websites and systems. Despite the fact that we take great care of security, it may happen that a weak spot is discovered. If that is the case, we would like to hear about it as soon as possible, so that we can take measures quickly.
Weaknesses can be discovered in two ways: you run into something by accident during normal use of a digital environment, or you make an explicit effort to find a weak spot.
Our responsible disclosure policy is not an invitation to actively scan our company network and websites extensively for vulnerabilities, as we monitor our websites and network ourselves. If you do so, costs may be incurred. We reserve the right to pass on these costs.
Regarding our products, you are cordially invited to actively look for vulnerabilities in an offline and non-production environment and report your findings to us. Out of responsibility towards our customers, we do not want to call for hacking attempts on their infrastructure. However, we do want to hear from you as soon as any vulnerabilities are found, so we can fix them appropriately.
We would like to work with you to better protect our customers and our systems.
We ask you to:
Email your findings as soon as possible to firstname.lastname@example.org
Do not abuse the vulnerability by, for example, downloading, changing or deleting data. When demonstrating a vulnerability, use your own accounts if possible and read out a maximum of 1 record. We always take your report seriously and investigate every suspicion of a vulnerability, even without 'proof'.
Do not share the problem with others, see also communication (Publication).
Do not use physical security attacks, social engineering or hacking tools, such as vulnerability scanners.
Give us enough information to reproduce the problem so we can fix it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.
What we promise:
We will respond to your report within three business days with an expected date for resolution. If no date for resolution is given, the problem will be addressed and resolved within 30 days of the report. Naturally you will be kept informed.
We will treat your report confidentially and will not share your personal information with third parties without your permission. An exception to this is the police and judicial authorities, in case of a report or if data is being claimed.
We will keep you informed about the progress of solving the problem.
In notifications about the reported problem, we will, if you wish, include your name as the discoverer.
Unfortunately, it is not possible to exclude legal action in advance. We want to be able to weigh each situation separately. We consider ourselves morally obliged to report the moment we suspect that the vulnerability or data is being misused, or that you have shared knowledge of the vulnerability with others. You can rest assured that an accidental discovery in our online environment will not lead to a report.
As a thank you for your help, we offer a reward for every report of a security problem not yet known to us. The size of the reward will be determined by the severity of the leak and the quality of the report.
We strive to solve all problems as quickly as possible, keep all parties involved informed, and we are happy to be involved in any publication about the problem after it is solved.
Vulnerabilities beyond the scope of this policy:
- Enumeration of username on client-facing systems (i.e., using server responses to determine if a particular account exists)
- Any bug that relies on an outdated browser
- Clickjacking on pages without sensitive actions.
- Unauthenticated / logout / login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Problems with SSL certificates.
- Server configuration issues (e.g. Open ports, TLS versions, Missing best practices in SSL / TLS configuration etc.).
- DNS configuration problems
- Any activity that could lead to a disruption of our service (DoS).
- Problems with content spoofing and textinjection without showing an attack vector / without being able to modify HTML / CSS
- Misinterpretations of rate limiting behavior as security flaws when triggered by CSRF protection mechanisms, specifically if reports are based solely on receiving a 403 HTTP response code without acknowledging the underlying CSRF validation process.
During the assessment and resolution process it is not allowed to publish without our permission. Once the CVD process is completed you are free to publish about it, however, we would like to have access to it before publication in order to correct any inaccuracies. A publication may only be placed with mutual consent.
Scope of this policy:
Any asset not listed in the scope is out of scope for the purposes of this policy, as is all content hosted by and for customers and third-party programs and plug-ins.
Please note that some of our websites run on a similar codebase. This means that problems found on one asset may also apply to another asset. These findings will be considered and treated as one problem.