Responsible Disclosure

The security of this website and other websites from CCV is very important to the CCV Group. In spite of our care to strengthen the security of our information systems, it is still possible that there are vulnerabilities currently present in our internet-facing web applications.

We value the assistance of security researchers and others in the security community to improve the security of our websites. We like to work together with you to better protect our customers and our websites.

What we ask you:

  • Email your findings to security@ccv.eu.
  • Do not abuse the problem by downloading, accessing or changing more data than necessary to detect the vulnerability;
  • Do not share the problem with others until it is confirmed to be resolved;
  • Erase all confidential data obtained through the leak immediately after conformation of the problem by our team;
  • Do not use attacks on our physical security or use social engineering, service attacks, brute-force attacks, spam or third-party ;
  • Provide sufficient information to reproduce the problem so that it can be resolved as quickly as possible. Usually, the IP address or URL of the affected system and a vulnerability description are sufficient, but for more complicated vulnerabilities more detailed information may be needed.

What we promise:

  • Within 5 working days, we will respond to your responsible disclosure;
  • If you have met the above terms, we will not take legal action regarding the responsible disclosure;
  • We will treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
  • and a place in our hall of fame for any notification that we qualify as vulnerability. We determine the size of the reward based on the severity of the leak and the quality of the . When a qualified vulnerability has been approved and resolved by us, you will get a position in our hall of fame

Qualifying vulnerabilities:

We have defined qualified vulnerabilities as follow: Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, authorization issues and privilege escalation. These qualified vulnerabilities must have an impact on the security of the web application and an increased risk for our customers. You must be the first researcher to responsibly disclose the vulnerability to us in order to qualify for a reward. Each submission will be evaluated on a case-by-case .

Please note that submitting scan results from automated tooling like Nessus, OpenVAS, Burp Suite or WPScan, etc. do not qualify as valid vulnerabilities. The security team is aware of these vulnerabilities.

Legal:

If users/individuals do not adhere to the above mentioned policies, we reserve the right to take appropriate (legal) measures and/or get law enforcement involved.

This CCV Group Vulnerability Policies are governed by Dutch law. CCV Group reserves the right to alter this policy at any time, possibly resulting in loss of an offer of a reward.

Hall of fame:

This hall of fame is tracked since August, .

So far, the hall of fame is still empty.