Coordinated Vulnerability Disclosure | Guardian360

If you have found a weakness in one of the ICT systems of Guardian360 B.V. (Guardian360), we would like to hear from you so that the necessary measures can be taken as soon as possible. Guardian360 would like to collaborate with you to further enhance the security of their own ICT systems. With this in mind, Guardian360 implements the following policy regarding the handling of reports of vulnerabilities detected by you in Guardian360’s ICT systems. You may hold Guardian360 to this policy when you encounter a vulnerability in any of the systems.

WE ASK YOU TO:

  • Send your findings to security@guardian360.nl.
  • Provide sufficient information to reproduce the issue so that Guardian360 can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more may be needed for complex vulnerabilities.
  • Please leave your contact information so Guardian360 can get in touch with you to collaborate on achieving a secure outcome. Please leave at least an email address or phone number.
  • Report the vulnerability as soon as possible after discovering it.
  • Do not share the information about the security issue with others until it is resolved.
  • Handle the knowledge about the security issue responsibly by refraining from actions beyond what is necessary to demonstrate the security problem.

Avoid the following actions under any circumstances:

  • Placing malware.
  • Copying, modifying, or deleting data in a system (an alternative is to create a directory listing of a system).
  • Making changes to the system.
  • Repeatedly gaining access to the system or sharing access with others.
  • Using the so-called “brute force” method to gain access to systems.
  • Using denial-of-service or social engineering techniques.

WHAT YOU CAN EXPECT:

  • If you comply with the above conditions when reporting a vulnerability in a Guardian360 ICT system, Guardian360 will not impose any legal consequences on this notification.
  • Guardian360 treats a report confidentially and does not share personal data with third parties without the consent of the notifier, unless required by law or court order.
  • Guardian360 will send you an acknowledgment of receipt within 3 working days.
  • Guardian360 will respond to a report within 7 working days with an assessment of the report and an expected date for a solution.
  • Guardian360 will keep the reporter informed of the progress in resolving the issue.
  • Guardian360 will resolve the security issue you identified in a system as quickly as possible, but no later than within 90 days. It can be mutually decided whether and how the issue will be disclosed after it has been resolved.
  • Guardian360 offers a reward as a token of appreciation for the assistance. Depending on the severity of the security issue and the quality of the report, this reward can range from a T-shirt to a maximum of 300 euros’ worth of gift vouchers. This must be an unknown and serious security issue for Guardian360.