Report vulnerability

(Coordinated Vulnerability Disclosure)

Amendment date: January 2023

At CODE24, the security of our website(s) and software is very important to us. Despite our care for security, there may still be a weakness. Have you discovered a vulnerability on CODE24's website(s) or software? If so, please report the vulnerability to CODE24 before disclosing it to the outside world. Making such a report is called a Coordinated Vulnerability Disclosure (CVD). These disclosures allow us to improve the security of our website(s) and software.

Report

A vulnerability on the website, you can report to the security officer at securityofficer@code24.nl. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEY0kRJBYJKwYBBAHaRw8BAQdAneVsmGvIVTpp4wq3UNEOmNKd+xkDU82YRMBU

4WC32Cm0MlNlY3VyaXR5b2ZmaWNlciBDb2RlMjQgPHNlY3VyaXR5b2ZmaWNlckBj

b2RlMjQubmw+iJkEExYKAEEWIQSAhGM2UjT6xgDl89Zf+AAURpAneQUCY0kRJAIb

AwUJA8PafAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBf+AAURpAneReL

AQCKV3Mj4JWxYf8nMkJnPSvRGWgKtecw+UKhdJ6uWy273gEAjjrH6czvBS9OpWFP

uAsEeTVJ7GSPT85LO6/qiYlwgw24OARjSREkEgorBgEEAZdVAQUBAQdA3Ijz6luG

dqy9xGuGfyCYhVYOPSTz4/HsITaYwKu8HQkDAQgHiH4EGBYKACYWIQSAhGM2UjT6

xgDl89Zf+AAURpAneQUCY0kRJAIbDAUJA8PafAAKCRBf+AAURpAnebYaAP9X2lN6

pXZVx2qoA8MjdMq2Xvrg9WWp4duVvgTT/fAvIQD8D7eMkHf+DRQvx0+idMeXuvX/

t0Bx96GOdf1fy0W48gA=

=HpDo

-----END PGP PUBLIC KEY BLOCK-----

We ask you:

  • Not exploit the vulnerability by, for example, downloading more data than necessary to demonstrate the leak or accessing, deleting or modifying third-party data;

  • Do not share the vulnerability with others until it is resolved and delete all confidential data obtained through the vulnerability immediately;

  • Not to use physical security attacks, social engineering, distributed denial of service (DDoS), spam or third-party applications;

  • Provide sufficient information to reproduce the vulnerability so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.

What we promise:

  • We will respond to your report within three days with our assessment of the report and an expected date for resolution;

  • If you comply with the above conditions, we will not take any legal action against you regarding the report;

  • We treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to fulfill a legal obligation;

  • We will keep you updated on the progress of resolving the vulnerability;

  • In posting about the vulnerability, if you wish, we will include your name as the discoverer.

Exclusions

This disclosure is not for reporting complaints. It is also not intended for:

  • Reporting that the website is unavailable;

  • Reporting false emails (phishing emails);

  • Reporting scams.

We also exclude specific problems that, in our opinion, do not pose a threat.

Excluded systems:

  • All systems other than domains ending in 'code24.nl'.

Excluded types of security problems:

  • SPF/DMARC records;

  • (D)DOS attacks and speed limit calls;

  • Problems that amount to self-XSS;

  • Error messages without sensitive data;

  • Reports of what software we use can be derived.