Responsible Disclosure

We take the security of our systems and users very seriously and attach great importance to improving it. Despite all precautions, it is still possible that a weak spot can be found in the systems. In order to stay one step ahead of malicious parties, we would like anyone who finds a vulnerability in our systems to report it to us.

By submitting a report, you declare that you agree with the following agreements about Responsible Disclosure and we will handle your report in accordance with the following agreements.

We ask the following from you:

  • Submit the report as soon as possible after discovering a potential vulnerability.
  • To report, use the appropriate form "Notification Responsible Disclosure".
  • Please provide enough information to reproduce the problem so that we can resolve it as soon as possible.
  • We recommend tips to help us solve the problem. Please limit yourself to verifiable facts that relate to the vulnerability you have identified and avoid that your advice in fact amounts to advertising for specific (security) products.
  • You avoid invasion of privacy, degradation of user experience, disruption to production systems and destruction of data during security testing;
  • Do not share the problem with others until it is resolved.

What is not allowed:

Due to the safety of our users, employees, the internet in general and you as a security researcher, the following actions are not permitted:

  • Testing applications other than this domain, namely “simgroep.nl”;
  • Taking actions that go beyond what is strictly necessary to demonstrate and report the security problem.
  • Social engineering and / or physical testing (eg phishing, tailgating);
  • Using techniques that reduce the availability and / or usability of the system or services (eg DoS attacks).
  • Placing malware.
  • Copy, change or delete data in the system.
  • Disclosing or providing information about the vulnerability to third parties before it is resolved.

What can you expect from us:

  • We will work with you to understand and resolve the vulnerability promptly (including an initial confirmation of your report within 72 hours of submission);
  • We will keep you informed of our efforts to resolve the vulnerability;
  • If you meet all of the above conditions, we will not file a criminal charge against you or bring a civil action against you.

If you have any questions or comments about this Responsible Disclosure, please contact Emiel Duinisveld (Chief Information Security Officer at Shift2)