Coordinated Vulnerability Disclosure Statement
At Royal FloraHolland, the security of our systems is of paramount importance. We want to create the safest possible conditions for our growers and buyers. Nevertheless, there may be security weaknesses that leave our systems vulnerable. To combat this, we have a Coordinated Vulnerability Disclosure procedure in place. If you have discovered a bug or vulnerability, we’d love to hear from you!
We kindly ask you to:
- send your finding via the following URL: Zerocopter
- use the CVSS calculator when entering the finding.
- make a report as soon as possible to prevent malicious persons from also finding the vulnerability and taking advantage of it;
- report the matter in a confidential manner to the organisation to prevent others from accessing the information as well;
- provide enough information to reproduce the problem so we can fix it as soon as possible (usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be needed for more complex vulnerabilities).
- reveal the vulnerability or problem to others until it is resolved;
- place your own backdoor in an information system and then use it to demonstrate the vulnerability (this could cause additional damage and unnecessary safety risks);
- misuse a vulnerability beyond what is necessary to establish the vulnerability;
- copy, modify or delete data from the system (an alternative is to create a directory listing of a system);
- make any changes to the system;
- access the system repeatedly or share access with others;
- use bruteforce attacks, social engineering, physical security attacks, distributed denial of service, spam or third-party applications to access systems.
What we promise:
- to respond to your report within 5 days with our assessment of the report with an expected date for resolution;
- if you have complied with the above conditions, not to take any legal action against you regarding the report;
- to treat your report confidentially and not to share your personal data with third parties without your consent, unless this is needed to comply with a legal obligation (it is possible to make a report under a pseudonym or anonymously);
- to keep you updated on our progress solving the problem;
- in messages about the reported problem, to - if you wish - mention your name as the person who discovered it.
We aim to resolve all problems as soon as possible and we are happy to be involved in any publication about the problem after it is resolved.
All rights reserved.