Disclaimer

Vulnerabilities hotline

Are you an expert and do you discover a vulnerability in our systems? Please help us by reporting this vulnerability. In this way we can improve the safety and reliability of our systems together. On the Vulnerability hotline page you will find more information about the reporting method, the conditions and the rules.
 

Responsible disclosure

Are you an expert and do you discover a vulnerability in our systems? Please help us by reporting this vulnerability. In this way we can improve the safety and reliability of our systems together.
 

Royal Visio and safety

As Royal Visio, we think it is important that you can safely use our websites. Despite our concern for the security of our systems, vulnerabilities can still occur.
 

What can you report?

You can report security-related issues in a Enviter website. If you have found a problem or weakness, please notify us as soon as possible. Vulnerabilities that can be reported are:

  • Authentication / Authorization
  • Cross Site Scripting (XSS) vulnerabilities
  • SQL injection vulnerabilities
  • Encryption weaknesses
  • Information leakage

 

How can you make a report?

You can send your report by e-mail to disclosure@visio.org. Use the public PGP key for this. Briefly and succinctly state in your email which vulnerability you have found, in particular:

  • What steps you have gone through
  • What the full URL is
  • What the possibly involved objects are (for example, which input fields or filters)
  • Screen printing is welcome

Our specialists read your report and get started right away. Do you see a weak spot in our IT systems? Please always contact us as soon as possible. Do not wait.
 

What do we do with your report?

A team of security experts will investigate your report and provide an initial response within two business days. Do not make the problem public, but talk to our experts and give them time to solve the problem. We will let you know what we think of your report, whether we will apply a solution, and when we will plan to do so.
 

The rules

During the investigation, you may be able to perform acts that are punishable by law. If you act in good faith, carefully and according to the specified rules, there is no reason for Royal Visio to file a declaration. Therefore, please follow the rules as included in this responsible disclosure regulation and do not act disproportionately:

  • Make sure not to do any damage while investigating the vulnerability found.
  • Do not use social engineering to access a system.
  • Under no circumstances should your research lead to an interruption of our services
  • Under no circumstances should your research lead to the disclosure of customer data.
  • Do not place a backdoor in a system. Not even to demonstrate the vulnerability. By placing a backdoor in a system, that system becomes even more unsafe.
  • Do not modify or delete any data in the system. Is the research necessary to copy data from the system? Then never copy more data than necessary. If 1 record is sufficient for your research, do not proceed.
  • Do not make system changes.
  • Do not attempt to enter a system more often than necessary. If you manage to enter a system, do not share the access with others.
  • Do not use brute force techniques (repeated password attempts) to access systems.
  • Do not use techniques that can affect the availability of our services.

 
Can I get a reward for my research?
Visio would appreciate it if you help us to optimize our systems and processes. You will be compensated for any reported vulnerabilities that have actually been resolved by us or that have led to a change in service.
 

Can I also report a weak spot anonymously?

Yes, you do not have to provide your name and contact details when making a report. Please keep in mind that we will not be able to consult with you about the next steps. For example, about what we will do with your report, further cooperation, your recognition such as attribution or any reward.
 

What is the hotline not meant for?

Filing complaints about the services or websites of Enviter
Questions or complaints about the availability of websites
Reporting fake emails or phishing emails
Reporting viruses
 

Your privacy

Enviter only uses your personal data to take action on your report. We do not give your personal data to others without your permission, unless we are legally required to give away your data. Or if we engage another company to further investigate your report. In that case, we will always ensure that they, in turn, keep your data secret in the same way as we do. Enviter remains responsible for your data even then.
 

Other terms

We can only accept reports written in Dutch or English. For the payment of rewards, we need your personal data. If several reporters report the same finding at the same time, the reimbursement will be for the first reporter.
 

Responsible Disclosure scheme

The National Cyber Security Center of the Ministry of Security and Justice has made guidelines on how to report weaknesses in IT systems. Our rules are based on that guideline. If you want to read more about the Guideline to arrive at a practice of Responsible Disclosure, please consult the website of the National Cyber Security Centre.