Skip to main content

Responsible Disclosure

At ASTRON, we consider the security of our systems very important. Despite our care for the security of our systems, there may still be weaknesses.

If you have found a vulnerability in one of our systems, we would like to hear about it so that we can take action against it as soon as possible. We would like to work with you to better protect our systems.

We ask that you:

  • Email your findings to Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.
  • Not abuse the problem by, for example, downloading more data than necessary to demonstrate the leak or accessing, deleting or modifying third-party data,
  • Not sharing the problem with others until it is resolved and deleting all confidential data obtained through the leak immediately after the leak is closed,
  • Not use physical security attacks, social engineering, distributed denial of service, spam or third-party applications,
  • Provide sufficient information to reproduce the problem so that we can fix it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.

What we promise:

  • We will respond to your report within 3 working days with our assessment of the report and an expected date for resolution,
  • If you have complied with the above conditions, we will not take any legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible,
  • We will keep you informed of the progress in resolving the problem,
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise),
  • As a thank you for your help, we will offer a reward for each report of a security problem still unknown to us. We determine the size of the reward, based on the severity of the leak and the quality of the report, and it will vary from an honourable mention to a gift.

Out of scope

  • Clickjacking
  • Denial of Service (DoS)

We aim to solve all problems as soon as possible and we are happy to be involved in any publication about the problem after it is solved.


Subscribe to our newsletter. For previous editions, click here.