Responsible disclosure

As a quality driven training institute, Security Coaches wants to learn from the best experts in the field. So maybe from you. We find it very important that our ICT systems are safe and of course meet the highest security requirements. We know that despite all our efforts to maintain our high standards, it is always possible that a weak spot in one of our systems can be found. If you discover a weak spot in one of our systems, we would like to learn from you. We will respond with the needed measures to improve security. Will you help us? Security Coaches is eager to learn.

  • Please-Email your findings to responsible@securitycoaches.nl.
  • To prevent information falling into the wrong hands, please encrypt the message.
  • Provide sufficient information to be able to reproduce and investigate the vulnerability. For this, Security Coaches needs at least an IP/URL and a good description of the vulnerability; for more difficult vulnerabilities, more may be needed.
  • Deal responsible with your knowledge of the vulnerability; do not perform actions beyond what is necessary to demonstrate the vulnerability to us. And to us alone.
  • It is handy to have your contact details, at least an e-mail address or telephone number.
  • Do not share information about the vulnerability with others until it has been resolved.

In scope:

  • Remote Code Execution
  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection
  • Encryption vulnerabilities
  • Bypassing authentication or unauthorized access to data

Out of scope:

  • DDos attacks
  • Disruption of the operation of our ICT systems
  • Installing malware
  • Using “brute force” techniques
  • Copying, changing, or deleting data
  • Making irreversible changes to a system
  • Social Engineering
  • Automated scans (such as Zap, Nmap, Burp scans)

What can you expect from Security Coaches?

  • If you comply with the conditions mentioned above and you have shown the best interest, Security Coaches will not take any legal action because of your actions.
  • The Security Academy will confirm the receipt of your report within 48 hours.
  • Within 30 days Security Coaches will share the result of the (technical) analysis with you and give you instructions about an ‘embargo period’ it will use to resolve the vulnerability. During that period no information about this vulnerability and the handling process may be shared with ’third parties’.
  • Describe the vulnerability found as clearly and in detail as possible and attach evidence. You can assume that the notification will be read by technical security experts. Mention at least the following:
    • What vulnerability has been found.
    • The full URL where it was found.
    • The steps taken to find the vulnerability.
    • Objects (such as filters or input fields) that play a role.
  • Please note we only accept reports in Dutch or English.
  • Security Coaches will treat your report ‘confidentially’ and respect your privacy unless laws and regulations require it to share information with the appropriate authorities.
  • Security Coaches will reward your efforts to improve our security. To keep you informed and to be able to award a possible reward and to add you to our wall of fame, we ask for your contact information such as name, e-mail address and in some cases the telephone number. If the vulnerability is reported anonymously, we respect this.
  • The contact information will only be used to keep you informed about the above matters and will not be passed on to third parties without your explicit permission. However, this is not the case if we are required by law to disclose this or if we transfer the investigation of the reported vulnerability to a third party. In these cases, we do everything possible to keep this information confidential and we feel responsible for the information.

Deviating international rules

Please note that laws and regulations for Responsible Disclosures are also different in each country. If you reside outside the Netherlands, our policy may not fully apply to you. It is therefore possible that, even if you have acted in accordance with the guidelines of Security Coaches Responsible Disclosure policy, legal action is taken even though Security Coaches has not reported the vulnerability to them.