Back to overview

Responsible disclosure

RSR conducts the digital administration of the student travel product and believes it is essential that the systems are secure. Despite our care for security, it may happen that a vulnerability is found in our systems. This is why our responsible disclosure policy has been established.

If you have found a vulnerability in one of our systems, we would like to hear about it as soon as possible. Then we can immediately take measures to remedy the vulnerability found. We would like to work with you to deal with the found vulnerabilities in a responsible way. And thereby better protect our systems.

What do we ask of you?

  • Safely email your findings to RD@svov.nu (responsible disclosure) to prevent the information from falling into the wrong hands;
  • Make your notification as soon as possible after the discovery of the vulnerability;
  • Not exploit the vulnerability by downloading more data to demonstrate the leak or accessing, deleting or modifying third-party data;
  • Not to share the vulnerability with others until it is fixed. And delete all confidential data obtained through the leak immediately after the leak has been fixed;
  • Do not attack physical security, social engineering, distributed denial of service, spam or third-party applications;
  • Provide sufficient information to reproduce the vulnerability so that we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient. More complex vulnerabilities may require more.

What can you expect from us?

  • We will respond to your report within three days with our assessment and an expected date for resolution;
  • treat your report confidentially and do not share your personal data with third parties without your consent, unless it is necessary to fulfill a legal obligation. Reporting under a pseudonym is possible, but we ask you to leave at least an e-mail address. This is so that we can contact you;
  • keep you updated on the progress of vulnerability resolution;
  • Include your name, if you wish, as the discoverer of the reported vulnerability, in notices about it;
  • offer as a thank you for your help a reward for every report of a vulnerability still unknown to us. We determine the size of the reward based on the severity of the vulnerability and the quality of the report, with a minimum of a €50 voucher. If it is a low or accepted risk vulnerability, we may decide not to reward a report. Some examples of such vulnerabilities: HTTP 404 codes or other non HTTP 200 codes, publicly accessible files and folders with non-sensitive information, clickjacking on pages without a login feature, cross-site request forgery (CSRF) on forms that can be accessed anonymously, missing 'secure' or 'HTTP Only' flags on non-sensitive cookies, missing SPF, DKIM and DMARC records, missing one or more of the following HTTP Security Headers: Strict-Transport-Security (HSTS), HTTP Public Key Pinning (HPKP), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, X-WebKit-CSP and X-XSS-Protection;
  • take no legal action regarding reporting if you have complied with the above conditions;
  • strive to resolve all problems as quickly as possible. We are happy to be involved in any publication about the problem after it is resolved.