Responsible disclosure policy

At Effectory, the security of our systems, our networks and our products is very important to us. Despite our continuous security efforts, it is possible that an unexpected weak spot is discovered in one of our systems, networks or products. If you find such a vulnerability, we would like to hear from you so that we can act as soon as possible. We would like to work together with you to better protect information of our customers and our systems, networks and products.

Vulnerabilities can be detected in two ways: you run into it during the normal use of our digital environment, or you explicitly take effort to search for vulnerabilities. Our responsible disclosure policy is not an invitation to scan for vulnerabilities actively or unannounced as we also monitor our systems, our networks and our products ourselves. In case you are our customer we ask you to contact us in advance, so our IT colleagues are informed and your survey(s) is/are not blocked or delayed. When an unannounced scan is picked up and examined by our IT colleagues, IP addresses are blocked while investigation takes place and unnecessary costs may be incurred.

We ask you:

  • Email your findings of vulnerabilities to databreach@effectory.com. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands.
  • Do not misuse the vulnerability by, for example, downloading more data than is necessary to prove the vulnerability and restrain from viewing, removing or modifying data from third parties.
  • Do not share the vulnerability with others until it is resolved and erase all confidential data obtained through the vulnerability immediately.
  • Do not use physical security attacks, social engineering, (distributed) denial of service, spam, or third party applications such as hacking tools and vulnerability scanners, unless explicit agreements have been made.
  • Provide enough information to reproduce the vulnerability so that we can resolve it as soon as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more explanation.

We promise to:

  • Respond to your notification of the suspected vulnerability within three working days after our assessment and possibly an expected date for a solution.
  • Not take any legal action regarding the notification, assuming the above conditions are followed
  • Keep you informed of the progress of solving the vulnerability.
  • Treat your notification confidentially and do not share your personal information with third parties without permission. An exception to this is police and justice, in case of reporting to the police is called for or data is claimed by these parties.
  • It's not possible to promise no legal action in advance; we want to be able to judge each new situation on its specifics.
  • We consider ourselves morally obliged to report to the police when we suspect that the vulnerability or data is being abused (such as viewing, removing or modifying third-party data), or that you have shared knowledge about the vulnerability with others. However, you can rely on the fact that an accidental discovery in our online environment does not lead to reporting it to the police.
  • Depending on the severity of the vulnerability and the quality of your notification, we may offer a reward for a reported notification of an unknown security vulnerability, as a thank you for your help.

We aim to solve critical vulnerabilities as quickly as possible and keep all parties involved informed of the progress.