Coordinated Vulnerability Disclosure (CVD)

Responsible Disclosure Policy

Vulnerability discovered? Let us know.

At our organization, we take the security and integrity of our systems very seriously. As such, we greatly appreciate it when individuals report any vulnerabilities they may discover in our systems to us. By notifying us of any potential vulnerabilities, we can take immediate steps to address the issue and prevent any potential breaches.

We request that you abide by our responsible disclosure policy, which outlines specific guidelines for the disclosure of vulnerabilities. This policy ensures that we can address the vulnerability in a timely and efficient manner, while also protecting the security and integrity of our systems.

Once you have notified us of a vulnerability and provided all necessary details, we will work closely with you to ensure that the issue is addressed as soon as possible. We appreciate your cooperation and are committed to maintaining the highest standards of security and integrity in all of our systems.


We ask you to adhere to the following conditions:

  • E-mail your findings to
    We would like to get in touch with you to (safely) exchange necessary details. Usually the IP address, domain name or URL of the affected system and a description of the vulnerability is sufficient, but with more complex vulnerabilities more may be needed.
  • Do not abuse the problem or share it with others until it is resolved.
  • Delete any confidential data obtained immediately or at the latest after the leak has been plugged.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.

If you have complied with the above conditions, we will not take any legal action against you regarding the report.


This responsible disclosure policy applies exclusively to:


Further processing takes place as follows:

  • As soon as possible, but at the latest within 4 working days we will respond to the report. If possible, we will give our assessment and an expected date for a solution. We will keep you informed about the progress of solving the problem.
  • We strive to solve all problems as soon as possible and we would like to be involved in any publication about the problem after it has been solved.
  • We will treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation.

No invitation for abuse

When investigating a vulnerability in one of our systems, please take into account the proportionality of the attack. You don't have to prove that if you carry out a large (D)DoS attack on 1 of our services, we will be down for a while. We know that.

So this is not an invitation to actively scan our networks to discover weak spots. Brute force attacks, (D)DoS and social engineering fall outside the scope of this Responsible Disclosure policy.

Do not perform (D)DoS attacks.

Secondly; do not test rate-limits on forms. The disruption these 'tests' cause are worse than any possible discovery of rate-limit vulnerabilities.


Reports that are based on the following findings or scenarios are excluded from this responsible disclosure policy:

  • Findings related to SPF, DKIM and DMARC records or absence of DNSSEC.
  • Absence of HTTP security headers.
  • CSRF on forms that can be accessed anonymously (without a session).
  • Brute-force, (D)DoS and rate-limit related findings.
  • Clickjacking and related vulnerabilities.
  • Reports of unsafe SSL/TLS protocols and related misconfigurations.
  • Possibly outdated server or application versions (from external parties) without proof of vulnerability and proof of exploitation.
  • Version exposure (unless you deliver a PoC of a working exploit).
  • Disclosure of known public files or directories or non-sensitive information.
  • Reports from automated tools and scans.

We request that you do not submit any reports related to these excluded findings, as they are likely known and accepted risks or have been previously reported. If you have any questions about what is considered an excluded finding, please contact us for clarification.


As a thank you for your help, we offer a reward for reporting an as yet unknown security issue that fully conforms to this policy. We determine the size of the reward based on the severity and quality of the report. Expect low rewards ($25 to $250)) as we are a startup and have limited resources.

If it concerns a previously reported, low or accepted risk vulnerability, the report does not qualify for a reward.

If you are a resident of a country that is listed on the EU or UN sanction lists, you will not be eligible for any rewards, even if you have reported a security issue that meets our policy requirements.

This responsible disclosure policy is based on and the NCSC's CVD policy guideline.