Responsible Disclosure Policy
RESPONSIBLE DISCLOSURE BIT B.V. - VERSION 2018-12-31
At BIT, we consider the security of our systems very important, but despite our efforts to ensure security, there may still be a weak spot. If you discover a weakness in our of our systems, we would like to hear about it so that we can take action as soon as possible. We want to work with you to better protect both our customers and our systems. Our Responsible Disclosure is also available in pdf format.
BIT’s infrastructure is also used by third-party systems and in many cases managed by those third parties. Weaknesses in systems managed by third parties are not covered by this Responsible Disclosure Policy. Systems not covered by this policy have a hostname that includes vm.bit.nl, colo.bit.nl or customer.bit.nl. You may nevertheless report systems with such hostnames. If you do so, you agree in advance that your report will be forwarded uncensored to the administrator of the system in question. In such cases, the promises made by BIT below no longer apply.
We ask you
- Not to use physical security attacks, social engineering, distributed denial of service, spam or automated tools, such as vulnerability scanners.
- Not to abuse the problem by, for example, downloading more data than necessary to prove the leak, or viewing, deleting or modifying third-party data.
- Not to share the problem with others until it is resolved
- To email your findings to cert@bit.nl. Encrypt your findings with our PGP key (found at the bottom of this page) to keep sensitive information out of the wrong hands.
- To provide sufficient information so that we can reproduce the problem as soon as possible. This way we can solve the problem as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is enough, but for more complex vulnerabilities additional information may be required
- To delete all data obtained through the leak.
We promise:
- If you comply with the above conditions, we will not take any legal action against you as the result of the report.
- We will respond to your report within three business days with our assessment and an estimated date for resolution.
- We will keep you updated on the status of the resolution.
- We will treat your report confidentially and will not disclose your personal information to third parties without your consent, unless required by law.
- It is possible to report under a pseudonym.
- In all communications regarding the reported problem, we will identify you as the reported, if you so wish.
We strive to solve all problems as quickly as possible and are happy to be involved in any publication about the problem after it is solved.
The above text is based on the work of Floor Terra as published at https://www.responsibledisclosure.nl.
The modified text is published under the Creative Commons Attribution 3.0 license.
PGP-key
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFPOTg0BEAC3aCI0ZMwWOxBA6lpnVbCgtgLeCOLvM/1PmzZu4T2OHK9BLojA gxigjcb0eOKOAe5LIfFCVRMp/eflpH7F4u0CTILh9RRjaFStEaTWf7cizXiexsXg cdy1HKJCQ9FsHwinnFMgzCieP5lJKxgs+2IYfYNTZxQ8KsH+TNf7Z/clpGoXAglG MAlnsFmPPWj9nfpRmchpSXf6WvFISK/1EjqG0MYc+segcOsja2VhOlo+UEKVBHUh wMeWzTyYL1MDrEHUOpErAcnb6NR4tQZ555cYlhXRUj8pXpTSoOzunFKQ12cROlZT Ii7FamRF2joLAsIZWj7HyY7uY0I9FCLGuyXl/ncT3u3OyYidbdexmj9hm1voZpoQ FrFkQEnVDlcV5KzgEmVJK3FsZBGbrXVWhPNB+KAJotjOZwrjpPWL6RVsyRGVkwx7 FPE4qNP002BdZU0p9zABJup923A7i9aIZsspsjKPPcyzghedTIVEmDQMwsiQcEIw wE+JRCsrv+SzNB5Ac//3y/geVyNBEQ4COPdpAapTBCKdQqXsoYVoq+lTmIT4FYY9 8nZtWAMfZTeWtaHmj8Br3UlvqaZSZbJ9Bz6LFupUvtZMEqoDmivw9lIXva/t4kW8 wTwJLHltoxJLRfHT/94YurQHqKUtqOmS+HcpLI4N5WZLwMYcaj8vy+OZlwARAQAB tBZCSVQgQ0VSVCA8Y2VydEBiaXQubmw+iQI4BBMBAgAiBQJTzk4NAhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCdykqXqA53sQR+D/4kXyVHLGYkfGf6hIdI UG55m/+vqbVMjTGotxvOEFv9orvYlcBH7ARdCZiJS+q+Y1E5vAr4nWHXRs+TOl1U K9IwStwCgISKTLcIsmfpaobwOskpf9qzxKU9eqGfExlzJBbRZMx0wffHq6kKEDU7 kiUIOQtoIzxGuYf6byVRXDT4PpXMRnEZQXwuVIABL3nOCjpWSpiFCVjphe17bQRC wpaBrOojRO7JAkO80xRXrY2aw1EaHRAxUy3W288c13jsYGUtSTKpO0mvNHAMIhWi DomBlsEAG56NOP7xunJh7m0ypX61lJuODN55tFO+LWgQNdqE7FM2wy9hM24iZE2l KfXZa8WqJBGvr6mEwZN+pAl1RCnbKbB8NY7gSJcBBbzr9UdUBrkljojMxuRz1iCe 6LtwGwA+N1dsFZ79f7dIkAr4GhndNO/8Lyy+zNGWA6aGMyyB7JRL5rWwIjveLbZ6 IQJDm8LLuJDhIcmQIn6T6SM1ui9gaaMhTGHnxGRwz3Xo24B2ifcdTYnCYQnW9vTo 8NgQORADJJ9Zi4lOHPgr6vzzSRL/nMdJdVWR093iZmfcuVw7BPZzHB14U1i191/V Dol9UxJm86xod+2VPT2YRzZ99uAmTccmueofr6p9Y69r5ucdx79dgMF4wCaaeXyO ylvanMGHa0raH2zOLoJsp/w74LkCDQRTzk4NARAAnfQM+Az/ZL73YcHPl9ra31IX UK7egukRHBtzm6BOe4uzOM9a/HTjG3MYsrfKcqp9UFMlj2R7sTLcip96b2jjhb1n iXVeg4uLmuYeKEowxnf1yhvd2KciSgCfXo8PHVoN5Lu8xBcaXCBcoUc69ix5ULQy MqcutvzVpPnUXnrdybNSiK0Hzn7xx8pNxv2cx7g+pXY4c/a4WUmYrjscSDM9wlsE eUIFqqIan/ks1PhZz6PXDVUIA4EkijURdXR5KvZOVfsIaBx7l1ZcglS5fBc45fm6 S7SDOpxWA2UaLw8dJ7mqfMk8bnC7w7fNh0dWtPLIG4Un20HBvbugpNoGuMilRLty fURB+xE+Z9dS8cFR5hM6HqhmHBRgh93FYL44S0GjwQYPhQjoW8bGXQM4N5nariLq wSh6UeSB+SnjIz+hFcXFtq82FCcc9Lo2saBvOIR3JSg6raun/R9ro+AGd4V7vPzG dj5ACUP+SQD3r7PMVLmse6wk6W4gm+jweYzgHseKKnGjZqNVZHeR853s7sRkaXap TnvLoWvAufKwBmnnkb5cLm4uP9JK96OdATAH5fr5Yf3VrdZQxs7g1Z2DAb3e/Qwd Z0PUQo7oo2/+Beq13fNF63osNv21DAVz926Mm7DyNkYb1znenIkPRoEfveB8zIUm 89XY2LbR3M3MBmyeackAEQEAAYkCHwQYAQIACQUCU85ODQIbDAAKCRCdykqXqA53 sZ79D/9N5A4MC2xFGYj6LZylLkTx/uewKr70pBYb7iST1e/exrJKjX8Wkq+FHSvj gnJ2ZyLgHlLfZ3fNxTLy2cqfNYtyROLhQu3gJBDZVaOIfenT7IeIjCcjOPGHEef0 qPTL1ZOZ9vYQzwE8wbwuRzKiiAc2BEhLbgWxfExCmg0UK98U1bKAJ8HwErnYfiUt Dsb0uKB7y+jBYYWsOh/kGLrakzvuo581ycE+PYRnOrYC6xVchFChiAny08KtrMya kFjCgt2GnuzLVADZpKzra4iHYqU7GpUxwmbDHHVbM8HncMp4wAbkg4WKncF4mLYw iqmAPyLsoGtWyDpEMG8WzxoLSKEJtlVK4V4YNbhMhWNTMuvX/AOk2/pSkc81To50 Pspo9JHqzOLNehVorKLjOfQ/hdhxvJS6C1HmZchg+pnKkdHWUCbyJPyfJSRQN63b QdRjCfvvNyqIovqUYuyFo+6BsDY+tP9OAj3tCokRljRYCOIc0GCzdNDw34DAOQ4u pgGn+L8+4AT6l4IWRrx7XcZHr9Poz/jlNmBtcC9LGJeqMEfs2a/lZtFx6JbOk792 MQTAHJuNHSys0M8VoMQWQCG0qz8dZY1ujp+KfR2Su3kSRLeAIUrnREaNv02mzWQ5 uZjLXzV88csfSZc5E1+fv9byq+exCmLEL383zVDXYYkpmYL67A== =n1Um -----END PGP PUBLIC KEY BLOCK-----