nl
en en
Responsible Disclosure Policy

Responsible Disclosure Policy

Responsible Disclosure Policy for ElaadNL

This Responsible Disclosure Policy (hereafter “Policy”) outlines the process for reporting security vulnerabilities in ElaadNL’s information technology (IT) infrastructure.

ElaadNL is committed to maintaining a secure IT environment for our users and partners. This Policy encourages security researchers and ethical hackers to report vulnerabilities responsibly, allowing us to address them before they can be exploited.

1. What vulnerabilities are covered by this Policy?

We encourage you to report vulnerabilities related to our core services at elaad.nl (with the exception of synergy.elaad.nl), elaad.io, and public IP addresses 85.10.172.67-69. These include, but are not limited to:

  • Remote Code Execution (RCE)
  • Injection vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)
  • Broken access control
  • Encryption vulnerabilities

The following types of issues are considered out of scope:

  • Phishing emails impersonating ElaadNL. Please contact us at security@elaad.nl with the relevant email as an attachment. Forward these reports, with the original email as an attachment (if possible without the suspicious attachment since your email might otherwise be blocked).

2. How to report the vulnerability?

Please provide a detailed description of the discovered vulnerability with supporting evidence (logs, screenshots, etc.) if possible. This will allow our security team to analyze the finding efficiently.

Reports can be submitted to: security@elaad.nl

If your issue involves sensitive information, such as personal or test results data, we request you to encrypt your communication using the key found in our security.txt file.

Please include the following in your report (if applicable):

  • A description of the vulnerability.
  • Steps to reproduce the issue, including proof-of-concept or exploit code if applicable.
  • Impact of the issue: affected services and requirements for exploitation.
  • Any other relevant information.

Once a report is received, we aim to acknowledge receipt within three (3) business days. Furthermore, we strive to resolve identified issues as quickly as possible. Note that, depending on the vulnerability, and the parties involved, this may take some time.

Any personal details you provide will be processed according to ElaadNL’s Privacy Policy (https://elaad.nl/en/privacy-statement/). We will use your information only to respond to your report and address the vulnerability. We will retain your data for as long as the investigation is ongoing and up to one year after its completion.

Note that providing personal information while reporting a vulnerability is optional. We also welcome anonymous reports. We might not be able to send you status updates if a throwaway email address is used.

3. What rules should you adhere to?

We aim to foster a safe, ethical, and collaborative environment. Therefore, the following ethical engagement rules are expected from both sides:

Our Commitment to You:

If you act in good faith when identifying and reporting vulnerabilities, we will not initiate legal action against you. We recognize that responsible disclosure is a critical component of security improvement, and we are committed to working with researchers to address issues safely and promptly.

Your responsibilities:

To ensure a safe and collaborative environment, we ask that you follow these ethical engagement rules:

  • Report the vulnerability to us directly using the designated email address using the methodology described above.
  • Report the vulnerability promptly to prevent exploitation.
  • Grant us reasonable time to investigate and address the vulnerability.
  • Maintain confidentiality of the vulnerability, especially if it involves personal or testing data.
  • Refrain from disclosing the vulnerability to others.
  • Never place a backdoor, not even to demonstrate a vulnerability.
  • Do not perform any actions to go beyond what is necessary to confirm the vulnerability.
  • Do not copy, modify, or remove data, but create a (directory) listing instead.
  • Do not use brute-force techniques.
  • Do not use phishing or social engineering techniques.
  • Avoid aggressive automated scanning.
  • Abstain from actions that negatively impact the confidentiality, integrity, or availability of our services.

Legal implications:

While we aim to protect those acting ethically and in good faith, we do not tolerate any activities with malicious intent, especially where these actions are illegal, and are unnecessary for confirming a discovered vulnerability. Prohibited actions include, but are not limited to, data tampering, intentional damage and denial-of-service attacks. Any such deviation from ethical behavior, such as exploiting a vulnerability for personal gain or causing harm, may result in legal actions, including prosecution under applicable laws.

4. Is ElaadNL offering any rewards for discovered vulnerabilities?

This Policy is not intended to incentivize hacking attempts, but to provide a framework to securely report and remediate security vulnerability reports. We do not offer any monetary rewards for reporting vulnerabilities. On a case-by-case basis, we may acknowledge your contribution publicly after consultation.

5. Questions

If you have any questions regarding this Policy, please feel free to contact us at security@elaad.nl.