Responsible Disclosure Policy

At Exclusive-IT, we believe that the security of our systems, our network and our products is very important. We pay a lot of attention to this during development and maintenance. However, sometimes vulnerabilities escape detection. We appreciate you notifying us if you find one. We would prefer to hear about it as soon as possible so that we can take measures to protect our customers. This document describes the procedure we have prepared for this.

Reporting

If you believe you’ve found a security issue in our product or service, please notify us as soon as possible by emailing us at security@exclusive-it.nl.

Rules

Our responsible disclosure policy is not an invitation to actively scan our company network for vulnerabilities. Our systems are being monitored continuously. As a result, there is a good chance that a scan will be detected and our Security Operation Center (SOC) will investigate it.

How does Exclusive-IT handle Responsible Disclosure?

When you report a suspected vulnerability in an IT system, we will deal with this in the following way:

Exclusions

This Responsible Disclosure scheme is not intended for reporting complaints. The scheme is also not intended for:

For issues pertaining to the above and any other inquiries please get in touch with our support team.

Rewards / bug bounty

Exclusive-IT has a bug bounty scheme to encourage the reporting of problems concerning security of our systems. We make an appropriate monetary reward available for reports that actually lead to remedying a vulnerability or a change in our services. We decide whether the report is eligible, and the nature and amount of the remuneration.

Which systems/problems are excluded from bug bounty rewards?

Not all systems that are accessible under our logos fall under Exclusive-IT’s direct control. Although we also take reports regarding these systems very seriously, we cannot allow them to fall under a bug bounty scheme.

We also exclude specific problems that in our opinion do not constitute a threat outside of a laboratory set-up.

Excluded systems

Excluded types of security problems

This policy has been drawn up based on the NCSC’s Responsible Disclosure Guideline.