Coordinated Vulnerability Disclosure Policy

Name/Designation: Co-Dex.eu BVBA
Address/registered office: Albert I-laan 23 in 8920 Langemark-Poelkapelle
Registration number at the Crossroads Bank for Enterprises (CBE): BE 0693.665.707
Represented by: Wim Barthier [person authorized to legally represent the organization]
Hereinafter referred to as the "Organization".

1. The scope of the policy

In our concern to improve the performance and security of our network and information systems, we have chosen to implement a coordinated vulnerability disclosure policy. This allows participants, with good intentions, to detect potential vulnerabilities in our organization's systems, equipment and products or to provide us with any discovered information about a vulnerability.

However, access to our IT systems and equipment is granted solely for the purpose of improving their security and informing us of existing vulnerabilities, in strict compliance with the other conditions set out in this document.

Our policy concerns security vulnerabilities that may be exploited by third parties or that may disrupt the proper functioning of our products, services, network or information systems.

The participant is also authorized to enter or attempt to enter computer data into our computer system, subject to the purposes and conditions of this policy.

The list of products, services or websites within the scope:
[To be defined]

The list of products explicitly excluded from the scope of this policy:
[To be defined]

Systems that rely on third parties are outside the scope of this policy unless these third parties explicitly agree to these rules in advance.

2. The mutual obligations of the parties

2.a) The proportionality

The participant undertakes to strictly observe the principle of proportionality in all its activities, i.e. not to disrupt the availability of the services provided by the system and not to exploit the vulnerability beyond what is strictly necessary to demonstrate the security problem. Its attitude must remain proportionate: if the security problem has been demonstrated on a small scale, no further action should be taken.

2.b) Prohibited actions

The following actions are not allowed for the participant:

Copying or modifying data from the computer system or deleting data from that system;
Changing the parameters of the computer system;
The installation of malware: virus, worm, Trojan horse, etc.;
"Denial of service" attacks (Distributed Denial Of Service - DDOS);
"Social engineering" attacks;
Phishing attacks;
Spam attacks;
Password theft or "brute force" attacks;
The installation of a device which makes it possible to intercept, store or gain knowledge of communications not accessible to the public or electronic communications;
The intentional interception, storage or disclosure of communications not accessible to the public or of electronic communications;
The intentional use, maintenance, communication or distribution of the content of a communication not accessible to the public or of data from a computer system of which the participant should reasonably have known that they were obtained unlawfully.

2.c) Confidentiality

Under no circumstances may the participant share or distribute information collected under our policy to third parties without our prior and express approval.

It is also not permitted to communicate computer data, communication data or personal data to third parties or to distribute them to third parties.

Our policy is not intended to enable the intentional disclosure of the contents of computer data, communications data or personal data and such disclosure may only occur incidentally in the context of detecting vulnerabilities.

However, our organization can provide information about identified vulnerabilities to the Belgian Cybersecurity Center (CERT.be service - [email protected]) and inform this center about any organizations that may be dealing with the same vulnerabilities.

If the participant seeks assistance from a third party to conduct his research, he should ensure that the third party is aware of this policy in advance and agrees to abide by the terms of the policy, including confidentiality, when providing assistance.

2.d) Performance in good faith

Our organization undertakes to implement this policy in good faith and not to prosecute, either civilly or criminally, any participant who strictly complies with its terms.

There must be no fraudulent intent, intention to harm, or intention on the part of the participant to use or cause damage to the visited system or its data.

In case of doubt about certain terms of our policy, the participant must consult our point of contact in advance and have a written answer before acting.

2.e) The processing of personal data

A coordinated disclosure policy does not aim primarily and intentionally to process personal data¹. Unless it is necessary to prove the existence of a vulnerability, the participant may not access, retrieve or store personal data.

However, it is possible that the participant, even by chance, may gain access to personal data stored, processed or transferred in the computer system concerned. It may also be necessary for the participant to temporarily consult, retrieve or use personal data in the context of detecting vulnerabilities. In this case, the participant must notify the data protection officer of our organization ([email protected]).

When processing such data, the participant undertakes to comply with the legal obligations regarding the protection of personal data and the terms of this policy.

Processing personal data for purposes other than detecting vulnerabilities of systems, equipment or products of our organization is excluded.

The participant may not retain any processed personal data for longer than necessary. During this period, the participant must ensure that the data is retained with a guarantee of a level of security appropriate to the risks (preferably encrypted). After the end of participation in the policy, this data must be deleted immediately.

Finally, the participant must inform us of any possible loss of personal data as soon as possible after becoming aware of it.

2.f) Breadcrumbs

If possible, please also add the necessary HTTP headers so that analysis of the vulnerability becomes easier to determine what effect your found vulnerability has on our information systems.

This information can preferably be provided in an HTTP header field labeled "x-bugbounty" and referenced by your email address. You are of course free to do so, but it will make for a more efficient analysis of the finding. As well as for us to distinguish between benign and malicious manipulations.

2.g) The award of a reward

Our organization commits to award a reward to the participant who identifies a vulnerability that has not yet been reported to our points of contact:

This reward may consist of a sum of money, gifts or mere public recognition, depending on the amount, importance or quality of the information provided.

3. How to report security vulnerabilities?

3.a) The points of contact

You should send the discovered information exclusively to the following email address: [email protected] with the subject "VULNERABILITY REPORT".

You can also contact the department or person responsible for the policy during office hours on the following telephone number(s): +32 47 39 33 43 0.

3.b) The information to be provided

Please send us the related information as soon as possible after your discovery.

Please provide us with enough information so that we can reproduce the problem and resolve it as quickly as possible.

We request that you provide us with at least the following relevant information (in Dutch, French, German or English):

Purpose: to identify you

Name
First name
Identity card number

Purpose: to contact you

Email address
Phone number
Address

Objective: to describe the vulnerability

A description of the vulnerability you have identified that is as complete and clear as possible
IP address of the system concerned
Breadcrumbs used if necessary

Objective: Identify vulnerability type

Type of vulnerability, reference to OWASP, SANS critical security controls or similar can help to better determine a problem

Objective: To simulate the vulnerability more accurately

Configuration details
Operating system
Operations performed (logging)
Tools used

Purpose: Determine legitimate operations and others

To be able to distinguish between your legitimate operations and possibly malicious other activity:

Date and time of the tests
Your IP address or other reference that you think could be found in logging

Purpose: complete information

Any other information you find relevant regarding this vulnerability

Objective: To document and demonstrate the vulnerability

Any screenshots or other attachments

Objective: determine risk of vulnerability

CVSS v3 (common vulnerability scoring system v3)
URL: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Please include the calculated URL (this includes the necessary information regarding the score)

4. The procedure

4.a) The notification

The participant undertakes to provide the information discovered about any vulnerabilities as soon as possible to the point of contact or to the coordinator mentioned in point 3 a) of this policy. The participant must use the mentioned secure means of communication.

Our organization undertakes, upon receipt of a message, to send the participant an acknowledgement of receipt within a reasonable period [e.g. within max. 7 working days], with its internal reference, a reminder of its obligation of confidentiality and the next steps of the procedure.

If he does not receive an acknowledgement of receipt within a reasonable period, the participant may, where appropriate, contact Wim Barthier ([email protected]), so that this centre can contact the appropriate persons within the responsible organisation.

4.b) The communication

The parties undertake to do everything in their power to ensure permanent and effective communication. The information provided by the participant can indeed be very useful in identifying the vulnerability and finding a solution.

If, after a reasonable period of time, neither party nor the designated coordinator responds, the parties can always call on the Wim Barthier ([email protected]) as default coordinator.

4.c) The research

During the investigation phase, our organization will reproduce the environment and the behavior observed in order to verify the information provided.

Our organization undertakes to keep the participant regularly informed of the results of the investigation and of the follow-up given to his report.

During this process, the parties will ensure that they link to similar or related reports, assess the risk and severity of the vulnerability, and identify any other affected products or systems.

4.d) The development of a solution

The disclosure policy aims to enable the development of a solution to eliminate the vulnerability of the IT system before damage is done.

To the extent possible and taking into account the costs and existing knowledge, our organization will try to work out a solution as quickly as possible, depending on the seriousness of the risks faced by the users of the systems involved.

In this phase, our organization (or our service provider) undertakes to perform positive tests on the one hand to verify that the solution is working correctly and negative tests on the other hand to ensure that the solution does not disrupt the proper functioning of the other existing functionalities.

4.e) Any publication

Our organization will decide, in consultation with the participant, in what way the existence of the vulnerability will be published. At the same time as this announcement, a security announcement will be published on our website (or via e-mail), in a system update message for the users.

Before any publication, our organisation will provide the relevant information to the CCB ([email protected]) and will grant a deadline for essential service providers in Belgium² to be informed of this vulnerability.

Our organization also undertakes to collect user comments on the application of the solution and to take the necessary corrective actions to resolve any problems caused by the solution, including compatibility with other products or services.

5. Applicable law

Belgian law applies to disputes relating to the implementation of this policy.

The CCB may act as a mediator between our organization and the participant for disputes relating to the implementation of this policy.

6. Duration

The rules of the policy are applicable from 20-01-2025 until they are changed or revoked by our organization.

These changes or revocations will be announced on our organization's website and will automatically apply 30 days after the announcement.

Wall of fame

No items in scope

European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR General Data Protection Regulation). ↩
Providers and authorities identified by the CCB. ↩

1. The scope of the policy​

2. The mutual obligations of the parties​

2.a) The proportionality​

2.b) Prohibited actions​

2.c) Confidentiality​

2.d) Performance in good faith​

2.e) The processing of personal data​

2.f) Breadcrumbs​

2.g) The award of a reward​

3. How to report security vulnerabilities?​

3.a) The points of contact​

3.b) The information to be provided​

Purpose: to identify you​

Purpose: to contact you​

Objective: to describe the vulnerability​

Objective: Identify vulnerability type​

Objective: To simulate the vulnerability more accurately​

Purpose: Determine legitimate operations and others​

Purpose: complete information​

Objective: To document and demonstrate the vulnerability​

Objective: determine risk of vulnerability​

4. The procedure​

4.a) The notification​

4.b) The communication​

4.c) The research​

4.d) The development of a solution​

4.e) Any publication​

5. Applicable law​

6. Duration​

Wall of fame​

Footnotes​