Responsible Disclosure

We ask the following of you

• Mail your findings to support@getnoticed.nl. 
• Please provide enough information to reproduce the issue so that we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice, but more complex vulnerabilities may require more. information
• We welcome any tips that will help us solve the problem. Please limit yourself to verifiable facts that relate to the vulnerability you have identified and avoid that your advice actually amounts to advertising for specific (security) products.
• Leave contact details so we can get in touch with you to work together towards a safe outcome. Leave at least one email address or phone number.
• Please submit the report as soon as possible after discovery of the vulnerability.

The following actions are not allowed

• Placing malware, neither on our systems nor on those of others;
• Public reporting of found facts
• Copying, modifying or deleting data or systems
• Causing Spam, Abuse or Damage
• Using techniques that reduce the availability and/or usability of the system or services (DoS attacks);
• Causing nterruptions to the operation of our systems
• Displaying sensitive data such as customer data.
• Using social engineering
• Disclosing or providing information about the security vulnerability to third parties before it is resolved;
• Taking actions that go beyond what is strictly necessary to demonstrate and report the security issue. In particular when it comes to processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying a complete database, you can usually suffice with, for example, a directory listing. Changing or deleting data in the system is never allowed;
• Abusing the vulnerability in any (other) way.

What we promise

• If you meet all the above conditions, we will not file a criminal complaint against you, nor will we bring a civil lawsuit against you.
• If it turns out that you have violated one of the above conditions, we may still decide to take legal action against you.
• We treat a report confidentially and do not share a reporter's personal data with third parties without their permission, unless we are obliged to do so by law or a court decision.
• In mutual consultation we can, if you wish, mention your name as the discoverer of the reported vulnerability. In all other cases you remain anonymous.
• We will send you an (automatic) confirmation of receipt within 1 working day and we will keep you informed of the progress of the solution.
• We can offer you a reward for an unknown security problem as a thank you for the help. Depending on the severity of the vulnerability and the quality of the report, that reward can range from a simple "thank you" to a small financial reward.
• We only reward serious security vulnerabilities with a financial reward (bypassing logins, access to personal data).

Out-of-scope vulnerabilities

• Social engineering attacks, including attacks targeting our internal personnel
• Physical attacks on our infrastructure, office or facilities
• Scanner output or reports generated by scanners. Includes automated exploit tools
• Any vulnerability obtained by exploiting an employee account
• Any vulnerability found on test or staging environments (*.staging.* of *.ac*.* of *.dev*.*)
• Network vulnerabilities such as:
• Account takeover (PLA, User enumeration, etc)
• SpamClickjacking, Login/Logout CSRF
• Fingerprinting, error message disclosure
• Protocol level attacks (bijv. BEAST/BREACH)
• Missing of security headers, httponly flags, etc.