Responsible disclosure

Discovered a vulnerability?
Let us know

At Keiretsu Europe B.V. and its subsidiaries, we consider the security of our systems and network very important. We are convinced that good security is essential for the trust that our customers, suppliers and employees place in us. Despite the concern for the security of our systems, it is possible that a vulnerability is discovered. Through our responsible disclosure policy, we ask anyone who discovers a vulnerability to report this as soon as possible so that we can take adequate measures. We are happy to work with you to resolve the vulnerability. Our responsible disclosure policy is not an invitation to actively scan our company network to discover vulnerabilities. We monitor our network ourselves.

We ask you:

  • Send your findings as soon as possible to security@keiretsu-europe.nl. If you want to send the notification encrypted, that is possible.

  • Provide us with enough information to reproduce the vulnerability so that we can fix it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more information; Not to abuse the vulnerability by, for example, downloading, viewing, deleting or adjusting data; Not sharing vulnerabilities with others until the vulnerability is resolved. In the unlikely event that you have obtained confidential data, we ask you to delete this data immediately; Not to use attacks on physical security or third party applications, social engineering, distributed denial of service (DDoS), spam or hacking tools such as vulnerability scanners.

What to expect:

  • We always take your report seriously. We will also investigate suspicions of vulnerabilities;
  • We will respond to your report within 5 business days with our assessment of the report and an expected resolution date;
  • We will keep you informed of the progress of resolving the vulnerability;
  • If you have complied with the above conditions, we will not take legal action against you regarding the report. The Public Prosecution Service always reserves the right to decide for itself whether further investigation is necessary;
  • We treat your report confidentially and will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation, such as when your data is requested by the police and judicial authorities;
  • An anonymous report may mean that we cannot contact you about, for example, the next steps and progress in closing the vulnerability;
  • We can show our appreciation with a maximum value of € 250. This is determined on the basis of the seriousness of the vulnerability and quality of the report;
  • In any reporting about the reported vulnerability, we will, if you wish, mention your name as the discoverer;
  • We strive to analyze all vulnerabilities as quickly as possible and to solve them if necessary. We will keep all parties involved informed.

This responsible disclosure policy is based on the Responsible Disclosure guideline of the National Cyber Security Center and the Responsible Disclosure example written by Floor Terra.