Coordinated Vulnerability Disclosure Policy
1. Introduction
At Jeito B.V., we take the security of our systems and data seriously. We recognize the importance of collaborating with the security community and independent researchers to identify and address potential vulnerabilities in a responsible manner. This Coordinated Vulnerability Disclosure (CVD) Policy outlines the guidelines and procedures for reporting and handling security vulnerabilities.
2. Scope
This policy applies to all public-facing systems, websites, and applications owned or operated by Jeito B.V.
3. Responsible Disclosure
If you believe you have discovered a security vulnerability in our systems or services, we encourage you to responsibly disclose it to us as soon as possible. To encourage responsible reporting, we commit to the following:
We will not take any legal action against you if you comply with this policy.
We will work with you to understand and resolve the issue promptly.
We will acknowledge your contribution in helping us maintain a secure environment, subject to your consent.
4. Guidelines for Responsible Disclosure
When reporting a potential security vulnerability, please adhere to the following guidelines:
Do: Make every effort to provide detailed information about the vulnerability, including a clear description of the issue, steps to reproduce it, and any supporting materials like proof-of-concept code or screenshots.
Do: Report the vulnerability as soon as possible after discovery to security@jeito.nl.
Do: Allow us a reasonable amount of time to investigate and address the reported vulnerability before disclosing it to others or making it public.
Don’t: Exploit the vulnerability to access, modify, or delete data or interfere with our systems in any way beyond what is necessary to demonstrate the security issue.
Don’t: Share or disclose any information related to the vulnerability with others without explicit written consent from Jeito B.V.
5. Exclusions
The following activities are strictly prohibited and may result in legal action:
Any form of denial-of-service attacks.
Physical attacks against our infrastructure or data centers.
Social engineering or phishing attacks against our employees or users.
Any other malicious activities that could harm our systems, users, or business interests.
6. Reporting a Vulnerability
To report a security vulnerability, please send an email to security@jeito.nl. We will acknowledge receipt of your report within 3 business days and provide an estimated timeline for when you can expect a resolution.
7. Response and Resolution
Upon receiving a vulnerability report, our security team will promptly investigate and validate the issue. We will make every effort to keep you informed of the progress and notify you when the issue is resolved.
8. Recognition
If you wish to be publicly acknowledged for your responsible disclosure, please let us know when reporting the vulnerability. We are happy to credit researchers for their valuable contributions if they desire recognition.
9. Policy Updates
This Coordinated Vulnerability Disclosure Policy may be updated from time to time. Please check https://jeito.nl/coordinated-vulnerability-disclosure-policy/ for the latest version.
10. Contact Information
If you have any questions or concerns about this policy or its implementation, please contact us at security@jeito.nl.