Responsible Disclosure
As a quality driven training institute, The Security Academy wants to learn from the best experts in the field. So maybe from you. We find it very important that our ICT systems are safe and of course meet the highest security requirements. We know that despite all our efforts to maintain our high standards, it is always possible that a weak spot in one of our systems can be found. If you discover a weak spot in one of our systems, we would like to learn from you. We will respond with the needed measures to improve security. Will you help us?
The Security Academy is eager to learn
- Please Email your findings to responsible@securityacademy.nl.
- To prevent information falling into the wrong hands, please encrypt the message with the public PGP key of the Security Academy;
- Provide sufficient information to be able to reproduce and investigate the vulnerability and your actions. For this, the Security Academy needs at least an IP/URL and a good description of the vulnerability; for more difficult vulnerabilities, more may be needed;
- Deal responsible with your knowledge of the vulnerability; do not perform actions beyond what is necessary to demonstrate the vulnerability to us. And to us alone.
- It is handy to have your contact details; at least an e-mail address or telephone number;
- Do not share information about the vulnerability with others until it has been resolved;
In scope:
- Remote Code Execution
- Cross Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection
- Encryption vulnerabilities
- Bypassing authentication or unauthorized access to data
Out of scope:
- DDos attacks
- Disruption of the operation of our ICT systems;
- Installing malware;
- Using “brute force” techniques;
- Copying, changing or deleting data;
- Making irreversible changes to a system;
- Social Engineering;
- Automated scans (such as Zap, Nmap, Burp scans).
What can you expect from The Security Academy?
- If you comply with the conditions mentioned above and you have shown the best interest, the Security Academy will not take any legal action as a result of your actions;
- The Security Academy will confirm receipt of your report within 48 hours;
- Within 30 days the Security Academy will share the result of the (technical) analysis with you and give you instructions about an ‘embargo period’ it will use to resolve the vulnerability. During that period no information about this vulnerability and the handling process may be shared with ’third parties’;
- Describe the vulnerability found as clearly and in detail as possible and attach evidence. You can assume that the notification will be read by technical security experts. Mention at least the following:
- What vulnerability has been found.
- The full URL where it was found.
- The steps taken to find the vulnerability.
- Objects (such as filters or input fields) that play a role.
- Screen prints are appreciated.
- Please note: we only accept reports in Dutch or English.
- Send us an encrypted email describing the problem succinctly. To send the e-mail, use the PGP key that you can download below. A team of security experts will investigate your report. Give them time to fix the problem. You will hear as soon as possible what we think about your report, whether we will apply a solution and when we will do so.
- The Security Academy will treat your report ‘confidentially’ and respect your privacy unless laws and regulations require it to share information with the appropriate authorities;
- The Security Academy will reward your efforts to improve our security. The technical specialists of the Security Academy will assess and categorize your report, taking into account the possible impact within the context of our ICT architecture. The Security Academy will not elaborate on or discuss their analysis. Only the first report of a vulnerability will be rewarded. If you agree, your name will be listed below in our “ethical hackers wall of fame”
- In order to keep you informed and to be able to award a possible reward and to add you to our wall of fame, we ask for your contact information such as name, e-mail address, PGP-Key and in some cases the telephone number. If the vulnerability is reported anonymously, we respect this.
- The contact information will only be used to keep you informed about the above matters and will not be passed on to third parties without your explicit permission. However, this is not the case if we are required by law to disclose this or if we transfer the investigation of the reported vulnerability to a third party. In these cases we do everything possible to keep this information confidential and we feel responsible for the information.
Deviating international rules
Please note that laws and regulations for Responsible Disclosures are also different in each country. In the event that you reside outside the Netherlands, our policy may not fully apply to you. It is therefore possible that, even if you have acted in accordance with the guidelines of The Security Academy Responsible Disclosure policy, legal action is taken despite the fact that The Security Academy has not reported the vulnerability to them.
responsible@securityacademy.nl