Coordinated Vulnerability Disclosure Policy
1. Introduction
At Jeito B.V., we take the security of our systems and data seriously. We recognize the importance of collaborating with the security community and independent researchers to identify and address potential vulnerabilities in a responsible manner. This Coordinated Vulnerability Disclosure (CVD) Policy outlines the guidelines and procedures for reporting and handling security vulnerabilities.
2. Scope
This policy applies to all public-facing systems, websites, and applications owned or operated by Jeito B.V.
3. Responsible Disclosure
If you believe you have discovered a security vulnerability in our systems or services, we encourage you to responsibly disclose it to us as soon as possible. To encourage responsible reporting, we commit to the following:
We will not take any legal action against you if you comply with this policy.
We will work with you to understand and resolve the issue promptly.
We will acknowledge your contribution in helping us maintain a secure environment, subject to your consent.
4. Guidelines for Responsible Disclosure
When reporting a potential security vulnerability, please adhere to the following guidelines:
Do: Make every effort to provide detailed information about the vulnerability, including a clear description of the issue, steps to reproduce it, and any supporting materials like proof-of-concept code or screenshots.
Do: Report the vulnerability as soon as possible after discovery to security@jeito.nl.
Do: Allow us a reasonable amount of time to investigate and address the reported vulnerability before disclosing it to others or making it public.
Don’t: Exploit the vulnerability to access, modify, or delete data or interfere with our systems in any way beyond what is necessary to demonstrate the security issue.
Don’t: Share or disclose any information related to the vulnerability with others without explicit written consent from Jeito B.V.
5. Exclusions
The following activities are strictly prohibited and may result in legal action:
Any form of denial-of-service attacks.
Physical attacks against our infrastructure or data centers.
Social engineering or phishing attacks against our employees or users.
Any other malicious activities that could harm our systems, users, or business interests.
6. Reporting a Vulnerability
To report a security vulnerability, please send an email to security@jeito.nl. We will acknowledge receipt of your report within 3 business days and provide an estimated timeline for when you can expect a resolution.
7. Response and Resolution
Upon receiving a vulnerability report, our security team will promptly investigate and validate the issue. We will make every effort to keep you informed of the progress and notify you when the issue is resolved.
8. Recognition
If you wish to be publicly acknowledged for your responsible disclosure, please let us know when reporting the vulnerability. We are happy to credit researchers for their valuable contributions if they desire recognition.
9. Policy Updates
This Coordinated Vulnerability Disclosure Policy may be updated from time to time. Please check https://jeito.nl/coordinated-vulnerability-disclosure-policy/ for the latest version.
10. Contact Information
If you have any questions or concerns about this policy or its implementation, please contact us at security@jeito.nl.
11.What you do not need to report
- Social Engineering.
- Resource exhaustion / (Distributed) Denial of Service.
- Physical Access Testing
- Situations that cannot be reproduced;Exploits that are not validated with a second tool/method, i.e. wrong result in tool A, right result in tool B
- Cosmetical level issues, i.e. this does not look good in browser A
- Situations where the problem lies on user (awareness) level, i.e. can be exploited when the workplace is left unprotected, click or keypress combo’s.
- Simple fingerprinting or version listings on OS, services or ports.
- Reporting of publicly available files that contain public information
- Secure/HTTP-only flag missing on cookies containing public information only
- TLS misconfiguration without a proof of concept to exploit the weakness
- Incomplete or missing SPF, DKIM or DMARC records
- Services running at thirdparty service providers (verify their responsible disclosure statement on beforehand)
- E-mail addresses found at a third party data breach
- Publicly disclosed vulnerabilities, patched within the last 2 weeks
- URL redirection (to a valid webpage)
- Local content spoofing / clickjacking
- Registered public IP addresses
- Public files and information leakage through metadata
- Missing security headers, options and flags
- Outdated versions without proof-of-concept or working exploit.
12. Known issues
There are also problems that are already aware of and that we are working on or that we recognise as accepted risks. These problems are not mentioned on the website. Our support team is aware of them and will report them. As a result, the issue will not be dealt with.
A Personal Note
We know that the above reads a bit formal and legalistic—and it might even feel a little lame. But we want to take a moment to say that we genuinely appreciate the time and effort you put into making the internet and our systems safer for everyone. Your work is invaluable, and we’re deeply grateful for your contributions to improving security. Thank you for helping us take another step toward a safer digital world.
