België
[email protected]
+32484530039
Get in touch

Responsible Disclosure Policy

Download Responsible Disclosure

Last updated: 2024

At BeneluxSoft B.V., we value the security of our systems, products and services. Despite our continuous efforts to apply strong security measures, vulnerabilities may occasionally surface. We encourage ethical security researchers, partners and users to report any potential weaknesses in a responsible manner.

This Responsible Disclosure Policy outlines how vulnerabilities should be reported, how we handle them, and what you can expect from us.

Our approach is aligned with:

  • CERT & NCSC Coordinated Vulnerability Disclosure (CVD) Guidelines
  • ENISA Good Practice Guide for Vulnerability Disclosure
  • ISO/IEC 29147 (Vulnerability Disclosure)
  • ISO/IEC 30111 (Vulnerability Handling)
  • GDPR Article 32 – Security of Processing

1. Scope of This Policy

This policy applies to:

  • BeneluxSoft corporate websites (including beneluxsoft.com)
  • Cloud and web-based tools developed or operated by BeneluxSoft
  • AI-driven systems, APIs and digital platforms deployed by our team
  • Demo environments and publicly accessible endpoints

This policy does not authorize illegal activities or attacks on:

  • Third-party services used by BeneluxSoft
  • Systems not owned or managed by our company
  • Test environments requiring explicit prior approval

If you’re unsure whether something falls under scope, contact us first.

2. Our Commitment to Ethical Security Researchers

If you act in good faith and follow this policy, we commit to:

No legal action

We will not initiate civil or criminal action against researchers who comply with responsible disclosure principles.

Fair, respectful and transparent communication

We will acknowledge your report, keep you informed and treat your submission professionally.

Timely remediation

We aim to fix valid vulnerabilities as quickly as reasonably possible.

Recognition (Optional)

If desired, researchers may be acknowledged on a planned Security Hall of Thanks page, unless anonymity is requested.

Not a bug bounty program
We do not offer financial rewards at this time.

3. How to Report a Vulnerability

To report a possible security issue, please contact us at:

Email: [email protected]

Your report should include:

  1. A clear description of the vulnerability
  2. Steps to reproduce the issue
  3. The affected URL, API or system
  4. Screenshots, proof-of-concept (if applicable)
  5. Your contact information (or state if you prefer anonymity)

We ask that you encrypt sensitive payloads before sending, if possible.

4. Guidelines for Ethical Research

To ensure safe and responsible testing, researchers must avoid the following:

  • Exploiting a vulnerability beyond what is necessary to demonstrate its existence
  • Accessing or downloading personal data, confidential files or private information
  • Modifying or deleting data
  • Performing DDoS attacks or brute-force attempts
  • Introducing malware or harmful payloads
  • Social engineering BeneluxSoft employees
  • Publicly disclosing the issue before it is fixed
  • Attempting to access internal systems without permission
  • Using automated tools that may degrade system performance

Acceptable testing includes:

  • Non-destructive testing (e.g. headers, metadata)
  • Local PoCs that do not affect production data
  • Testing authenticated endpoints only with your own accounts (if available)
  • Identifying misconfigurations, insecure headers or access control issues

If in doubt, always contact us first.

5. What Happens After You Submit a Report

When you submit a vulnerability, we will:

  • Acknowledge receipt of your report within 5 business days
  • Investigate to verify and assess the impact
  • Prioritize remediation based on severity (CVSS scoring may be used)
  • Fix confirmed issues as soon as reasonably possible
  • Update you once the vulnerability is resolved
  • Provide an official closure notice

If you request credit, your name will be added to our acknowledgments page once the issue is fixed.

6. Responsible Disclosure Principles

We kindly ask researchers to follow these principles:

  • Do not disclose the vulnerability publicly until we confirm that it has been fully resolved.
  • Give us a reasonable amount of time to validate, patch and deploy the fix.
  •  Protect user data and avoid accessing personal or confidential information.
  • Maintain confidentiality of all information shared during the process.

Following these principles ensures a safe and cooperative environment for both parties.

7. What Is Not Considered a Valid Vulnerability

The following types of findings are generally not accepted:

  • Missing security headers that do not pose real impact
  • “Best practice” suggestions without actionable risk
  • Clickjacking without sensitive impact
  • Brute-force possibilities without rate-limiting bypass
  • Spam or SEO-related issues
  • Physical security issues
  • Outdated browser warnings
  • Findings on external services not controlled by BeneluxSoft

We still welcome such reports but they may not be treated as security vulnerabilities.

8. Legal Notes

If you comply with this policy:

  • We will consider your testing as authorization for research, not illegal activity
  • We will not claim damages
  • We will not involve law enforcement unless your behaviour is malicious

This is aligned with modern European approaches to safe harbour for ethical security research.

9. Updates to This Policy

BeneluxSoft may modify this policy to reflect improvements in our security processes or alignment with updated CERT/NCSC guidelines.
The “Last Updated” date will be revised accordingly.

10. Contact Information

For all vulnerability-related communication:

Website: https://beneluxsoft.com/

Benelux Soft B.V.
Da Vincilaan 1, 1930 Zaventem België
VAT: BE 0781.446.153
Email: [email protected]
Phone: +32 484 53 00 39

 

Download Responsible Disclosure
Close
Search

Hit enter to search or ESC to close

cookie By using this website, you agree to our cookie policy. Close