Vulnerability Reporting and Reward Policy

 

1. Purpose
This policy is designed to guide our organization's response to vulnerability reports submitted by external white-hat hackers. It aims to classify the reported vulnerabilities based on their impact and potential risk, ensuring that appropriate rewards are granted to those who help improve our system's security.

2. Scope
This policy applies to all vulnerability reports submitted to our organization by external parties, including individual white-hat hackers and security researchers, concerning our tool.

3. Submission Process
3.1. Reporting Channels
All vulnerability reports must be submitted via email to security@aanmelder.nl.
Reports submitted through other channels may not be eligible for rewards.
3.2. Information Required
Reporter's name, contact information, and affiliation (if any).
Detailed description of the vulnerability.
Steps to reproduce the vulnerability.
Potential impact of the vulnerability.
Suggested mitigations or fixes (optional).
Any relevant attachments or supporting documentation.
3.3. Acknowledgment
Upon receiving a vulnerability report, we will acknowledge the receipt within 5 business days and provide the reporter with a unique reference ID for tracking purposes.

4. Classification Criteria
Vulnerabilities will be classified based on their severity and impact on our event management tool. The classification levels are as follows:

4.1. No Vulnerability
The reported issue does not qualify as a vulnerability or is a duplicate of a previously reported issue.
For example automated version scans will be classified as no vulnerability. 
No reward will be granted.

4.2. Automated scans
No reward will be granted

4.3. Low
Minor vulnerabilities that have limited impact or require unlikely conditions to exploit.
Reward: €50

4.4. Medium
Vulnerabilities that could potentially lead to unauthorized access, data exposure, or other moderate security risks.
Reward: €75

4.4. High
Critical vulnerabilities that pose a significant risk to our systems or user data, allowing for severe exploitation.
Reward: €100

5. Evaluation and Response Process
5.1. Initial Assessment
Our security team will perform an initial assessment of the reported vulnerability within 5 business days of acknowledgment.
5.2. Detailed Analysis
A detailed analysis will be conducted to evaluate the validity, impact, and severity of the reported vulnerability.
5.3. Classification Decision
Based on the analysis, the vulnerability will be classified as per the criteria outlined in Section 4.
5.4. Response to Reporter
We will communicate the classification decision and any relevant feedback to the reporter within 10 business days of the initial assessment. Decisions are final. If applicable, the reporter will be informed of the reward amount and the payment process.

6. Reward Distribution
6.1. Eligibility for Reward
Only reports that result in the identification of a new and valid vulnerability will be eligible for rewards. Rewards are granted solely at our discretion, based on the classification decision.
6.2. Reward Payment
Rewards will be paid within 10 business days of the classification decision, subject to the reporter’s compliance with our payment process.
The payment will be made through PayPal.
6.3. Tax and Legal Considerations
The reporter is responsible for complying with any applicable tax laws and regulations related to the reward payment.

7. Confidentiality and Non-Disclosure
7.1. Reporter’s Responsibilities
Reporters are expected to maintain the confidentiality of the vulnerability until it is resolved or disclosed by our organization.
Any breach of confidentiality may result in disqualification from receiving a reward.
7.2. Organization’s Responsibilities
Our organization will respect the reporter’s privacy and will not disclose their identity without their consent unless required by law.

8. Policy Review and Updates
This policy will be reviewed periodically and updated as necessary to ensure its effectiveness and alignment with our organization’s goals and security needs.

For any questions or concerns regarding this policy or the vulnerability reporting process, please contact our security team at security@aanmelder.nl.