Responsible disclosure
Responsible disclosure
The security of our customers and our information systems is one of our main priorities. That is why, every day, we strive to guarantee the best possible level of security to protect data confidentiality. However, it is not impossible that vulnerabilities may escape our vigilance and that is why we thank you for collaborating with us by following this voluntary disclosure policy should you come across or suspect a vulnerability on our sites or in our systems. We hereby recognise the importance of the work of the cyber security research community in ensuring the ongoing safety and security of all people, especially our customers, and hope to foster an open partnership with all researchers.
To this end, here are a few simple rules to follow that will allow us to optimally follow up on your findings. These rules are applicable as of 01/03/2021.
What can you test?
Suspected security vulnerabilities that may be exploited for illegal purposes and that arise:
- on our sites (www.voo.be; myvoo.be; zuny.be, …);
- in relation to our products and services, IT systems and networks;
Although VOO SA operates a number of other services, we ask all cyber-security researchers to submit vulnerability reports only for the given list of products and services. We intend to extend the scope of this policy as we build up our capacity and experience in this area.
We undertake not to prosecute those who follow the procedure outlined in this document and who:
- test systems/carry out research without these activities harming VOO or its customers.
- carry out vulnerability tests as part of our vulnerability disclosure programme while avoiding accessing other VOO resources.
- carry out research on products without affecting VOO customers, or by collecting customers' consent before carrying out tests on their hardware/software, etc.
- comply with the laws in force in Belgium and in their jurisdiction.
- refrain from disclosing the details of the vulnerability to the public or third parties before the expiry of a mutually agreed period of time or the end of the remediation process.
How to submit a vulnerability?
Report the security flaws you observe only via the email address: [email protected]
We accept reports in three languages: French, Dutch or English.
If it concerns sensitive information, which you prefer to send in encrypted form, use GPG by encrypting your message with the following public key:
Key store: https://keys.openpgp.org/
Fingerprint: 32B1 DFBE 48E6 84CB 913D 0C0C B7BA 5238 F41E 65DB
You prefer to remain anonymous? No problem, but we do ask you to indicate an anonymous e-mail box (Gmail, Hotmail, Yahoo, etc.) so that we can contact you if we have further questions or need more feedback.
Preference, prioritisation and acceptance criteria
We will use the following criteria to prioritise and triage your findings.
Push your notification up the priority list:
- A report written in correct English/French/Dutch will have a better chance of being reviewed.
- A report that includes a proof of concept is more likely to be prioritised.
- A report that includes only "dumps" or other automated tool outputs will not be prioritised for review.
- A report that includes products and/or services not included in the above-mentioned scope will not be considered.
- The origin of the vulnerability, the way in which you identified it, its estimated impact on VOO customers and any comments you may have.
- The desired means of contact.
Do not send us a vulnerability disclosure in the event of:
- Comments or questions concerning a problem relating to the supply of our products or services. You can contact our customer service department directly for this type of request.
- Technical attacks (DDoS, brute force, password guessing/spraying, etc.). If you are a victim of such an attack coming from our networks, you can contact us directly at [email protected].
- Spam, phishing attacks, fraudulent e-mails… You can contact [email protected] directly for this type of request.
Our undertakings:
- A rapid response to your e-mail (within 5 working days).
- After triage, a provisional timetable for the patching or mitigation of the vulnerability.
- An open and constructive dialogue.
- A notification when the vulnerability analysis is completed.
If the approach you recommend to remedy a vulnerability or other problems is not shared by VOO, VOO may call on a neutral third party (such as CERT-BE or BIPT) to help determine the best way to deal with the vulnerability.