What should you do if you discover a weak spot in RINIS's IT systems?
- Please e-mail your findings to firstname.lastname@example.org.
- Notify us of the vulnerability as soon as you can after you discover it.
- Provide enough information to reproduce the problem, so that we can resolve it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are enough, but in more complex cases more information may be needed.
- Leave us your contact details so that we can work with you in order to achieve a secure outcome. We will need at least your e-mail address or phone number.
What you must never do
- Share information about the security problem with others.
- Install malware.
- Copy, change or delete information in a system or create a directory listing for a system.
- Make changes to the system.
- Repeatedly access the system or share the access with others.
- Access the system using 'brute force'.
- Deploy DoS (Denial of Service) or social engineering.
What can you expect RINIS to do if you make a responsible disclosure (i.e. justified report)?
- We will deal with your disclosure in confidence and will not share your personal details with any third parties without your consent, unless we are obliged to do so by law or a judicial ruling.
- You will receive confirmation of receipt within one working day.
- You will receive a detailed response to your disclosure within five working days.
- If possible, we will work with you in order to resolve the problem. In all cases, we will keep you informed about the progress made.
- We assess each disclosure separately. This means that we cannot guarantee that legal steps will not be taken. However, you can rest assured that a responsible disclosure will not lead to the judicial authorities being informed.
- What's more, if your report has actually helped to improve the security of our systems you will receive an appropriate gift for your help as a thank-you.