Skip to content

Common Vulnerability Disclosure Policy

This policy applies to all persons seeking to report technical vulnerabilities relating to all products and services offered by Athumi.

Context

A vulnerability is a technical or human weakness or defect that can be exploited by one or more threats and that can lead to unauthorized access, modification or deletion of information and data.

Athumi attaches great importance to the security of the information and systems that we manage and share with our customers. Where possible, Athumi takes appropriate technical and organizational measures, in accordance with and in line with the Athumi information security policy that is in line with the Information Classification Framework of the Flemish Government and the associated minimum measures.

Although we pay a lot of attention and care to the security of our systems, there may still be a vulnerability. We encourage you to report any vulnerabilities you may have discovered in our systems, so that we can take appropriate measures as quickly as possible. This Responsible Disclosure Policy allows you to inform us when you discover a vulnerability.

When you discover a vulnerability

Please report this as soon as possible to security@athumi.eu and include in your report:

  • URL or IP address where you discovered the vulnerability, a description of what you have determined, preferably with a description of how you arrived at that conclusion so that we can reproduce it.
  • Your contact details (at least: name, e-mail address, telephone number) so that we can contact you for further questions.

Please help protect our services and systems by:

  • behaving ethically and in no way negatively influence the functioning of our systems by the techniques you apply and the tools you use. We cannot tolerate failure to respect this.
  • not abusing the vulnerability yourself (e.g. abuse any access to download additional data, DDoS, spam, social engineering attacks, etc.) and to delete any accidentally received data in consultation with Athumi.
  • not actively using brute force, DDoS, spam, social engineering, or other attack techniques yourself with the intention of detecting vulnerabilities.
  • not sharing the vulnerability with others and to treat it as confidential until the vulnerability has been resolved.
  • when reporting vulnerabilities in third-party components, taking into account that if these are known vulnerabilities, we will follow them up internally and prioritize them based on the CVSS-score of the vulnerability and the possible associated risk for Athumi.
  • confirming that you will respect the contents of this page.

Then we guarantee:

  • to treat your report as well as the personal data you have shared with us confidentially.
  • to respond and involve you in the assessment and resolution of the vulnerability and to inform you about this.
  • not to take legal action against you.

Note

Athumi will not compensate you financially in any way for reporting vulnerabilities. However, we will list you in our “Security Hall of Fame”.

Security Hall of Fame

We will list the people who helped us report vulnerabilities here.

-

This is version 1.0 of this document.

Stay in touch with Athumi