Responsible Disclosure (English)
At Lentiz onderwijsgroep (education group), the security of our systems is very important to us. Despite our care for the security of our systems, it is possible that there is a weak spot.
If you have found a weak spot in one of our systems, please let us know so that we can take measures as soon as possible. We would like to work with you to better protect our customers and our systems.
What we ask of you:
- Email your findings to responsible-disclosure@lentiz.nl. Do not include confidential and privacy sensitive information in this email. If necessary, agreements can be made after the initial contact about the secure exchange of information;
- Not to abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak or to view, delete or modify data from third parties;
- Be extra careful when sharing confidential/personal data;
- Not to share the problem with others until it is resolved and to erase all confidential data obtained through the leak immediately after closing the leak;
- Not to use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications;
- Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more information.
What we promise:
- We respond to the report within 10 days with our assessment of the report and an expected date for resolution;
- If you have complied with the above conditions, we will not take any legal action against you regarding the report;
- We treat the report confidential and will not share personal data with third parties without your permission unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
- In reporting on the reported problem, we will, if you wish, mention your name as the discoverer;
- We want to thank everybody who reported a vulnerability in a responsible way in our Wall of Fame.
- As a thank you for your help, Lentiz may decide to offer a reward for every report of a security problem unknown to us, but are not obliged to do so. We determine the size of the reward based on the severity of the leak and the quality of the report.
Out of scope:
Lentiz does not reward trivial vulnerabilities or bugs that cannot be exploited. Below are examples of known vulnerabilities and accepted risks, which fall outside the above scheme.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injecting on these pages;
- fingerprinting/version indication on public services;
- public files or directories with insensitive information (e.g. robots.txt);
- clickjacking and problems that can only be exploited via clickjacking;
- no secure/HTTP-only flags on insensitive cookies;
- OPTIONS HTTP method enabled;
- everything related to HTTP security headers, for example:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy
- issues with SSL configuration;
- SSL Forward secrecy disabled;
- weak/insecure cipher suites;
- issues with SPF, DKIM or DMARC;
- host header injection;
- reporting outdated versions of any software without a proof of concept of a working exploit;
- information exposure in metadata.
- Any DOS / DDOS related misconfiguration.
Lentiz strives to solve all problems as quickly as possible and we are happy to be involved in any publication about the problem after it has been solved.
This policy is licensed under a Creative Commons Attribution 3.0 license. The policy is based on Floor Terra’s sample policy.