Responsible Disclosure

Responsible disclosure

Vulnerabilities in IDEAtells’s ICT Systems

IDEAtells attaches a great deal of importance to the security of its systems. In spite of the attention devoted to system security, it is possible that a weak spot may have been overlooked. Should you find a weak spot in one of IDEAtells’s systems, we would like to hear from you, so that the necessary measures can be taken as quickly as possible. For this reason, IDEAtells implements the following policy concerning the handling of reports of observed vulnerabilities in its ICT systems. You can hold IDEAtells accountable for this policy when you come across a weak spot in any of the systems and you report this. We would like to work together with you to be able to better protect the data in our systems.

IDEAtells expects you to do the following

  • Send the report as quickly as possible after the discovery of a vulnerability to [email protected].
  • The report must include the information required by IDEAtells to reproduce the problem. Generally, the IP address or the URL of the affected system and a description of the vulnerability is sufficient. However, additional information may be required in the event of more complex vulnerabilities.
  • At a minimum, please provide an e-mail address or a telephone number, so that we can work together with you to produce a secure result.
  • Do not share any information about the vulnerability with others until after it has been resolved.
  • Deal responsibly with the knowledge about the security problem by avoiding any actions that go beyond those required to demonstrate the security problem.

In any event do NOT:

  • Spread malware;
  • Copy, change or remove data from the system (an alternative to this is to create a directory listing of the system);
  • Make any changes to the system;
  • Repeatedly gain access to the system or share access to the system with others;
  • Make use of so-called brute force attacks to access the system;
  • Make use of (distributed) denial-of-service or social engineering attacks.

What to expect from IDEAtells

  • If you meet the above conditions when you report an observed vulnerability in a IDEAtells ICT system, IDEAtells will not take any legal action against you.
  • IDEAtells treats a report as confidential and will not share personal information with third parties without your permission, unless required to by law or pursuant to a court ruling.
  • IDEAtells will send you a confirmation of receipt within 1 working day.
  • IDEAtells will respond to a reported vulnerability within 3 working days with an evaluation of the reported vulnerability and the expected resolution date (if known at that point).

IDEAtells will keep you informed of the problem solving progress.