Responsible Disclosure Policy

Responsible Disclosure

At PTI we consider the security of our systems a top priority, but are well aware that vulnerabilities can always be present, regardless of how much effort we put into securing our applications and infrastructure. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.

 

This is not an invitation to actively scan us

This document is not an invitation to actively scan our systems or networks, looking for vulnerabilities. Since we monitor our systems, your scans may be detected and investigated by our Computer Emergency Response Team (CERT), which leads to unnecessary costs for us.

 

Do’s and Don’ts

Please do the following:

  • Inform us as soon as possible.
  • E-mail your findings to cert@pti.nl. Encrypt your findings using our PGP key (fingerprint A063879A199F5CEF70B951D49A508E3ED4C54B0D ) to prevent this critical information from falling into the wrong hands.
  • Provide us with enough detailed information to reproduce the problem, so that we can fix it. This should include the affected IP address or the URL of the affected system, a description of the vulnerability, and used method and time of investigation. With complex vulnerabilities we may require further explanation.
  • Act ethical and responsible with your knowledge about our security problem.

 

Do not do the following:

  • Take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
  • We always take your report seriously and will even investigate without hard ‘proof’.
  • Reveal the problem to others.
  • Repeatedly gain access to the system using the same attack vector
    • Use attacks on physical security, social engineering, distributed denial of service (DDOS), bruteforce attacks, spam or applications of third parties
    • Place backdoors in our systems
    • Take any other measure that might affect our service to our customers.

 

 What we promise

  • If you have followed the instructions above, we will not take any legal action against you in regard to reporting the issue.
  • Within 3 business days after receiving your findings, we will acknowledge receiving your e-mail.
  • We will respond to your report within 5 business days after sending the acknowledgement with our evaluation of the report and an expected resolution date.
  • We will handle your report with strict confidentiality. We will not pass on your personal details to third parties without your permission, with the exception of cases where we are legally obliged to share this information.
  • We strive to resolve all problems as quickly as possible.
  • We will keep you informed of the progress towards resolving the problem.
  • Together we will discuss if and how other parties will be informed about the problem. We never disclose vulnerabilities to the general public before we have fixed them.  The ultimate decision on publication lies with PTI.

 

Credits and Rewards

We feel that this branch of sport should not be driven by motives such as personal gain or fame, but purely with the purpose and intent to make the digital world a safer place. However we see that you invest time and effort. As such:

  • If we both agree to disclose the fixed vulnerabilities to the public, we will give your name as the discoverer of the problem (unless you desire otherwise)
  • As a thank you for helping us we may provide you with a reward (but are not obliged to do so). The type of reward depends on the situation. Rewards might range from goodies to a gift certificate.
  • We do not give out a reward if:
    • The problem is already known to us
    • The problem lies within one of the external services we use
    • The problem is regarding (D)DOS or self-inflicted-XSS
    • An error is shown, but without providing any sensitive information
    • The problem is regarding the possibility to detect the stack we are using
    • The problem depends on old(er) OS’ses, browsers or unconventional plugins

 

Thank you for working together with us. We really appreciate it.

 

This Responsible Disclosure statement is based on the work of Floor Terra as published on https://www.responsibledisclosure.nl and takes into account the suggestions from the “Leidraad Responsible Disclosure” (Guidelines Responsible Disclosure) from the NCSC (Dutch National Cyber Security Center).