Responsible disclosure policy

Royal IHC considers the security of its systems to be critical. However, weak spots may arise.

If you find a weak spot in one of our systems, let us know, so that we can take steps to remedy it as soon as possible. We are keen to cooperate with you in order to better protect our users and systems. 

The Coordinated Vulnerability Disclosure policy is not an open invitation to actively and intensively scan our company network in order to discover its weaknesses. 

What to do:

  • Email your findings to [email protected] as soon as possible.
  • Do not abuse any vulnerability, for example, by downloading more data than is necessary to demonstrate the leak, installing a ‘backdoor’ or by changing or deleting data.
  • Exercise further caution with regard to personal data.
  • Do not share information about any vulnerability with others until it has been resolved. Delete all confidential information after a vulnerability has been acknowledged.
  • Do not launch attacks on the physical security or applications of third parties, social engineering, distribute denial-of-service or spam.
  • Provide sufficient information to enable reproduction of the vulnerability, so that we can remedy it as soon as possible. Generally the IP address or URL of the affected system and a description of the vulnerability and operations carried out are sufficient, but more information may be required in the case of complex vulnerabilities.

Our promise:

  • We will respond within one working day to confirm the receipt of your report.
  • We will respond within three working days with our appraisal of your report, and an expected resolution date.
  • If you have complied with the aforementioned conditions, we will not take legal action against you with regard to the report.
  • We will strive to resolve the vulnerability as quickly as possible and will keep you informed of the progress made in remedying it.
  • We will treat your report confidentially and will not share your personal details with third parties without your authorisation, unless required to do so in order to comply with a legal obligation.
  • Anonymous or pseudonymous reporting is possible. You should be aware that in such cases we cannot contact you concerning the steps taken, progress in stopping the leak, publication or the possible reward for the report.
  • We would like to be involved in any publication of the vulnerability after it has been resolved. If you wish, we will credit you as having discovered the vulnerability when issuing our report.

Royal IHC currently does not have an active bounty program. We make exceptions at our own discretion for particularly valuable reports, but do not credit or reward reports about issues that can be found with online scanners or repeat reports.