GROUP POLICY ON

RESPONSIBLE DISCLOSURE

November 2020

 

1   Introduction

Within Etex Group, we value the security of our digital environment, including systems and websites. Despite the efforts we spend to appropriately secure our environment, we can never fully rule out that a vulnerability may still be present. This Responsible Disclosure policy is intended to be published on the different Etex websites and allows (external) security researchers to report identified vulnerabilities within a predefined framework, including the expectations and promises of Etex Group related to acts under this policy.
If you have found a weak spot in one of our systems, please let us know so that we can take remediation measures as quickly as possible. We would like to work together with you to safeguard our environment and even better protect our internal and external stakeholders.

2   Responsible disclosure – Our expectations

In order to comply with our Group Policy on Responsible Disclosure, we ask you:

• To report the vulnerability immediately after discovery.
• To email your findings to InfoSec@etexgroup.com. Take the necessary confidentiality (including encryption) measures to prevent the information being disclosed to malicious parties.
• Not to exploit the vulnerability by, for example, downloading more data than is necessary to demonstrate the weak spot, or deleting / modifying any data being exposed. At no point in time it is allowed to download, delete, or modify personal data.
• Not to deploy malware (e.g. virus, worm, trojan, botnet, etc.). Do not make changes to a system or copy, modify, or delete data in a system.
• Not to disclose or share the problem with others until it is remediated and to erase all data obtained through the leak immediately after reporting the vulnerability to Etex Group.
• Not to use any attack techniques related to physical security, social engineering including spamming or phishing, (distributed) denial of service and brute force attacks. Do not perform any actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the stored data.
• To provide sufficient information to allow Etex to reproduce your findings and resolve them as quickly as possible. Usually the IP address or the URL of the involved system and a description of the vulnerability should be sufficient, possible supported by additional screen prints or technical details. More complex vulnerabilities may require more information.
• To leave your contact details, so that Etex Group can contact you to remediate the vulnerability if more information is required. Leave at least your name and e-mail address. Reporting under a pseudonym is possible, but make sure that we can contact you if we should have additional questions.
• To confirm in your email to Etex that you have acted and will continue to act in accordance with this Responsible Disclosure Policy.

Any act under this Responsible Disclosure Policy should be strictly limited to conducting tests to identify potential vulnerabilities and sharing this information with Etex Group.
If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying Etex Group, one of its subsidiaries or any of its employees in a publication is only possible after we have given our explicit approval.

3   Responsible disclosure – Our promise

• We will respond to you in a short period of time, if possible within 10 working days, with our assessment of the reported vulnerability and an expected remediation date. We will keep you informed of the progress of remediation.
• If you have fully complied with all above conditions and have not committed any other breaches, we will not take legal action against you regarding the performed acts under this policy.
• We will treat your report confidentially and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation.
• To thank you for your report, we offer a reward for every report of a security vulnerability that was not yet known to Etex Group. We will determine the size of the reward based on the criticality of the leak and the quality of the report, with a minimum of a voucher of 50 euro. In case you are reporting on behalf of a (security) consultancy company, we will require an invoice to be issues for any rewards exceeding a total of 200 euro. In no circumstances, Etex Group will proceed with payment in digital currencies such as Bitcoin.
• Finally, we offer the opportunity to be listed in our "Hall of Fame", for which we will require your formal consent before publication.

4 Document Control

Version #

Date Issued

Summary of Changes

Author

Approved by

v0.1

30/10/2020

Initial Draft

C. Van Pevenage

 

v0.2

24/11/2020

Including comments after Legal Review

C. Van Pevenage

 

 

 

 

 

 

5   Contact details

Please address any questions you may have in relation to this policy to the Information Security Team: InfoSec@etexgroup.com.
This text is a derivative work of "Responsible Disclosure" by Floor Terra, used under a Creative Commons Attribution licence 3.0.