Coordinated Vulnerability Disclosure Policy

1. Introduction

At Jeito B.V., we take the security of our systems and data seriously. We recognize the importance of collaborating with the security community and independent researchers to identify and address potential vulnerabilities in a responsible manner. This Coordinated Vulnerability Disclosure (CVD) Policy outlines the guidelines and procedures for reporting and handling security vulnerabilities.

2. Scope

This policy applies to all public-facing systems, websites, and applications owned or operated by Jeito B.V.

3. Responsible Disclosure

If you believe you have discovered a security vulnerability in our systems or services, we encourage you to responsibly disclose it to us as soon as possible. To encourage responsible reporting, we commit to the following:

We will not take any legal action against you if you comply with this policy.
We will work with you to understand and resolve the issue promptly.
We will acknowledge your contribution in helping us maintain a secure environment, subject to your consent.

4. Guidelines for Responsible Disclosure

When reporting a potential security vulnerability, please adhere to the following guidelines:

Do: Make every effort to provide detailed information about the vulnerability, including a clear description of the issue, steps to reproduce it, and any supporting materials like proof-of-concept code or screenshots.
Do: Report the vulnerability as soon as possible after discovery to security@jeito.nl.
Do: Allow us a reasonable amount of time to investigate and address the reported vulnerability before disclosing it to others or making it public.
Don’t: Exploit the vulnerability to access, modify, or delete data or interfere with our systems in any way beyond what is necessary to demonstrate the security issue.
Don’t: Share or disclose any information related to the vulnerability with others without explicit written consent from Jeito B.V.

5. Exclusions

The following activities are strictly prohibited and may result in legal action:

Any form of denial-of-service attacks.
Physical attacks against our infrastructure or data centers.
Social engineering or phishing attacks against our employees or users.
Any other malicious activities that could harm our systems, users, or business interests.

6. Reporting a Vulnerability

To report a security vulnerability, please send an email to security@jeito.nl. We will acknowledge receipt of your report within 3 business days and provide an estimated timeline for when you can expect a resolution.

7. Response and Resolution

Upon receiving a vulnerability report, our security team will promptly investigate and validate the issue. We will make every effort to keep you informed of the progress and notify you when the issue is resolved.

8. Recognition

If you wish to be publicly acknowledged for your responsible disclosure, please let us know when reporting the vulnerability. We are happy to credit researchers for their valuable contributions if they desire recognition.

9. Policy Updates

This Coordinated Vulnerability Disclosure Policy may be updated from time to time. Please check https://jeito.nl/coordinated-vulnerability-disclosure-policy/ for the latest version.

10. Contact Information

If you have any questions or concerns about this policy or its implementation, please contact us at security@jeito.nl.