To main content

Coordinated vulnerability disclosure (CVD)

We consider the security of our systems and data a top priority. But no matter how much effort we put in, there will still be vulnerabilities present. We ask your help to better protect our systems and data. If you discover a vulnerability, we want you to first tell us about it. So we can take steps to address it as quickly as possible. This kind of report is known as a Coordinated Vulnerability Disclosure or CVD.

Do's:

  • Tell us about the vulnerability by submitting your findings on Zerocopter here. On this page you will also find information on the areas and vulnerabilities we consider in, and out of scope.
  • Report in a manner that safeguards the confidentiality of the report so that others do not gain access to the information.
  • Report the vulnerability as quickly as possible, to minimise the risk of threat actors taking advantage of it.
  • Do provide sufficient information to reproduce the vulnerability, so we are able to resolve it. Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but complex vulnerabilities require further in-depth explanation.

Don'ts:

  • Take advantage of the vulnerability you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting/ modifying our data.
  • Reveal the vulnerability to others until it has been resolved.
  • Use the vulnerability for attacks on physical security, social engineering, distributed denial of service, spam or (web)applications of other parties.
  • Repeatedly gain access to the system or share access with others.
  • Actively perform automated scans on our infrastructure and systems to identify vulnerabilities.
  • Use ‘brute force attack’ techniques to gain access to our systems or data, as this does not qualify as vulnerability.

Our promises:

We offer a reward for every vulnerability disclosure that was not yet known to us, as a token of our gratitude for your assistance. The amount of the reward will be determined based on the severity of the vulnerability. Payments are made after a report gets the status “resolved”

  • We will keep you informed about the progress towards resolving the vulnerability via Zerocopter.
  • We handle your report in confidence and we will not share your personal details with third parties without your consent unless we are obliged to do so by law or by a court ruling.
  • We will not take legal actions, if you submit a vulnerability in line with the procedure.