Responsible disclosure C2Results | IT Circle Netherlands

At C2Results | IT Circle Netherlands, we consider the security of our systems very important. Despite the care for the security of the systems, a weakness can occur. You can report these weaknesses to us. 

At C2Results | IT Circle Netherlands, we consider the security of our systems very important. Despite the care for the security of the systems, a weakness can occur. You can report these weaknesses to us. 

Collaborate

If you find a weakness in one of our systems, we would like to hear about it. We can then take measures as quickly as possible. We would like to work with you to better protect our users and systems. 

No invitation to active scanning

Our so-called responsibledisclosure policy is not an invitation to extensively actively scan our network or systems for vulnerabilities.  

Criminal prosecution

It is possible that during the course of your research, you may perform actions that are punishable under criminal law. If you have complied with the conditions below, we will not take any legal action against you. However, the Public Prosecution Service always has the right to decide for itself whether to prosecute you criminally. 

Request to you

  • Email your findings as soon as possible to info@itcircle-nederland.nl  
  • Do not abuse the weakness found by, for example:
    • download more data than necessary to demonstrate the leak
    • change or delete the data
  • Be extra careful with personal data.
  • Do not share the weakness with others until it is resolved.
  • Do not use attacks on physical security or third-party applications, social engineering, (distributed denial-of-service, malware or spam.
  • Please provide enough information to reproduce the vulnerability so that we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability and the actions taken are sufficient, but more may be required for more complex vulnerabilities.

Our promise

  • We will respond within 5 business days with our assessment of the report and an expected date for resolution. 
  • We treat your report confidentially and will not share your personal information with third parties without your consent, unless necessary to fulfill a legal obligation. 
  • We will keep you updated on the progress of resolving the weakness. 
  • You can report anonymously or under a pseudonym. However, we will then not be able to contact you about, for example, the next steps, progress in plugging the leak, publication or any reward for the report. 
  • In posting about the reported vulnerability, if you wish, we will include your name as the discoverer of the vulnerability. 
  • We may give you a reward for your research, but are under no obligation to do so. Therefore, you are not automatically entitled to compensation. The form of this reward is not fixed in advance and is determined by us on a case-by-case basis. Whether we offer a reward and the form it takes depend on the diligence of your investigation, the quality of the report, and the severity of the leak.  
  • We strive to resolve all issues as quickly as possible and keep all affected parties informed. We are happy to be involved in any publication about the weakness after it is resolved. 

Not in scope

C2Results | IT Circle Netherlands does not reward trivial vulnerabilities or bugs that cannot be exploited. Below are examples of known vulnerabilities and accepted risks, which fall outside the above scheme: 

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injection on these pages 
  • fingerprinting/version listing on public services, public files or directories containing insensitive information (e.g. robots.txt) 
  • clickjacking and problems that can only be exploited via clickjacking 
  • no secure/HTTP-only flags on insensitive cookies 
  • OPTIONS HTTP method enabled 
  • Anything related to HTTP security headers, for example: 
  • Strict-Transport-Security 
  • X-Frame-Options 
  • X-XSS Protection 
  • X-Content-Type-Options 
  • Content-Security-Policy 
  • issues with SSL configuration issues 
  • SSL Forward secrecy disabled 
  • weak/insecure cipher suites 
  • issues with SPF, DKIM or DMARC 
  • host header injection 
  • reporting obsolete versions of any software without a proof of concept of a working exploit 
  • information exposure in metadata 

This Coordinated Vulnerability Disclosure arrangement aligns with the guidance issued by the National Cyber Security Center (http://www.ncsc.nl) and the example of Cooperative SURF U.A. (http://www.surf.nl). 

Version Responsible disclosure: September 7, 2021

<em class='evo_tooltip_box'></em>