Skip to main content
ASTRON logo

Responsible Disclosure

At ASTRON, we consider the security of our systems very important. Despite our care for the security of our systems, there may still be weaknesses.

If you have found a vulnerability in one of our systems, we would like to hear about it so that we can take action against it as soon as possible. We would like to work with you to better protect our systems.

NOTE: This Responsible Disclosure Policy is not a Bug Bounty Program, we currently only offer a legal and safe way to report any security issues in our systems. As mentioned below in the policy we do offer a reward for valid reports on unknown security issues, but for most of the reports the award is only an entry in our Hall of Fame. In rare occasions we offer, in addition to the entry in the Hall of Fame, a small gift to compensate for additional work done by the reporter in follow up requests from our side.

We ask that you:

  • Email your findings to cert@astron.nl. Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.
  • Not abuse the problem by, for example, downloading more data than necessary to demonstrate the leak or accessing, deleting or modifying third-party data,
  • Not sharing the problem with others until it is resolved and deleting all confidential data obtained through the leak immediately after the leak is closed,
  • Not use physical security attacks, social engineering, distributed denial of service, spam or third-party applications,
  • Provide sufficient information to reproduce the problem so that we can fix it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.

What we promise:

  • We will respond to your report within 3 working days with our assessment of the report and an expected date for resolution,
  • If you have complied with the above conditions, we will not take any legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible,
  • We will keep you informed of the progress in resolving the problem,
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise),
  • As a thank you for your help, we will offer a reward for each report of a security problem still unknown to us. We determine the size of the reward, based on the severity of the leak and the quality of the report, and it will vary from an honourable mention to a gift.

Out of scope

  • Clickjacking
  • Denial of Service (DoS)

We aim to solve all problems as soon as possible and we are happy to be involved in any publication about the problem after it is solved.

@astron

Subscribe to our newsletter. For previous editions, click here.

searchcloseprintchevron-downlinkedin-squarefacebookbarsenvelopelinkedinxingyoutube-playinstagrampaper-planefacebook-officialpinterest-pwhatsappcommentingenvelopecross