SEVOCOMM - Vulnerability Disclosure Policy (VDP)
Belgium | Netherlands | Germany | Russia | Ukraine
Monday - Thursday 09:00-17:00, Friday 09:00-16:00

Vulnerability Disclosure Policy

SEVOCOMM > Vulnerability Disclosure Policy
    Spread the word
    Released by Legal Counsel on January 1st, 2021

    How SEVOCOMM handles security vulnerabilities

    As a provider of services for users across BeNeLux, CIS, UKIE and DACH, we recognise how important it is to help protect user privacy and security. We understand that secure services are instrumental in maintaining the trust users place in us and we strive to create innovative services that both serve user needs and operate in the user’s best interest and that what we wrote this vulnerability disclosure policy.

    This policy describes what systems and types of security research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

    We encourage security researchers to contact us to report potential vulnerabilities identified in SEC systems.  For reports submitted in compliance with this policy, the DPO of SEVOCOMM will acknowledge receipt within three business days, endeavour to timely validate submissions, implement corrective actions if appropriate, and inform researchers of the disposition of reported vulnerabilities.

    If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research.

    Test Methods

    Security researchers must not:

    • Test any system other than the systems set forth in the ‘Scope’ section below,
    • disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below,
    • engage in physical testing of facilities or resources,
    • engage in social engineering,
    • send unsolicited electronic mail to SEVOCOMM users, including “phishing” messages,
    • execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
    • introduce malicious software,
    • test in a manner which could degrade the operation of SEVOCOMM systems; or intentionally impair, disrupt, or disable SEVOCOMM systems,
    • test third-party applications, websites, or services that integrate with or link to or from SEVOCOMM systems,
    • delete, alter, share, retain, or destroy SEVOCOMM data, or render SEVOCOMM data inaccessible, or,
    • use an exploit to exfiltrate data, establish command line access, establish a persistent presence on SEVOCOMM systems, or “pivot” to other SEVOCOMM systems.

     

    Security researchers may:

    • View or store SEVOCOMM nonpublic data only to the extent necessary to document the presence of a potential vulnerability.

     

    Security researchers must:

    • cease testing and notify us immediately upon discovery of a vulnerability,
    • cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
    • purge any stored SEVOCOMM nonpublic data upon reporting a vulnerability.

     

    Scope

    The following systems / services are in scope:

    Disclosure

    SEVOCOMM is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily-available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.

    We may share vulnerability reports with the National Cyber Security Center (NCSC-NL), as our main infrastructure is housed in The Netherlands, as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission.

    As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. SEVOCOMM expects to be held to the same standard.

    Our policy is in its majority in line with the desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over deadline(s). We would like to call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find this record and reasoning compelling. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our own opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet.

    Questions

    Questions regarding this policy may be sent to our DPO. SEVOCOMM encourages security researchers to contact us for clarification on any element of this policy. Please contact us prior to conducting research if you are unsure if a specific test method is inconsistent with or unaddressed by this policy. We also invite security researchers to contact us with suggestions for improving this policy.