+31 33 789 00 33
Support
+31 33 789 00 33 Support

RESPONSIBLE DISCLOSURE

 

At Infradax B.V., we consider the security of our systems important. Despite our care for the security of our systems, it can happen that there is a weak spot in our systems.

If you have found a weak spot in one of our systems, we would like to hear about it so we can take measures as soon as possible. We would like to work with you to better protect our customers and our systems.

We ask you:

  • Email your findings to rd@infradax.com Encrypt your findings with our PGP KEY to prevent the information from falling into the wrong hands,
  • Not abuse the problem by, for example, downloading more data than necessary to demonstrate the leak or accessing, deleting or modifying third-party data,
  • Not sharing the problem with others,
  • Not use physical security attacks, social engineering, distributed denial of service, spam or third-party applications, and
  • Provide sufficient information to reproduce the problem so that we can fix it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.

Scope:  

Infradax websites.

  • *.Infradax.nl/*
  • *.Infradax.fr/*
  • *.Infradax.com/*
  • *.Werkenbijinfradax.nl/*
  • *.Idxportal.nl/*
  • *.Office-extensions.nl/* 

What we promise:

  • We will respond to your report as soon as possible with our assessment of the report and an expected date for resolution,
  • If you have complied with the above conditions, we will not take any legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation.
  • We will keep you informed of the progress in resolving the issue,
  • As thanks for your help, we sometimes offer a reward for reporting a security problem that is still unknown to us. We determine the size of the reward based on the severity of the leak and the quality of the report.”

Infradax may choose to provide a reward to a security researcher who has made a report through the responsible disclosure. The amount of this reward often depends on the quality of the report, the severity of the security breach and the professionalism of the security researcher.

Infradax B.V. considers the following vulnerabilities to be ineligible vulnerabilities under this program. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.

  • Distributed denial of service
  • Content spoofing
  • Social engineering, including phishing
  • Unconfirmed reports from automated vulnerability scanners
  • Disclosure of server or software version numbers
  • Generic examples of Host header attacks without evidence of the ability to remotely attack a victim
  • Notifications regarding allowed password strength
  • SSL vulnerabilities without a working PoC of the impact
  • Theoretical takeover of subdomains without supporting evidence
  • Alleged security weaknesses without evidence of the ability to remotely attack a victim. For example, credentials are sent as plain text in POST body, missing
  • speed limits, bruteforcing without demonstrable impact, etc.
  • Notifications that exploit the behaviour of, or vulnerabilities in, outdated browsers
  • False notifications or notifications without evidence of a vulnerability
  • Clickjacking / UI Redressing without risk
  • Non-state-changing CSRF vulnerabilities
  • Tabnabbing