Responsible Disclosure

• Email your findings to cert@astron.nl. Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.
• Not abuse the problem by, for example, downloading more data than necessary to demonstrate the leak or accessing, deleting or modifying third-party data,
• Not sharing the problem with others until it is resolved and deleting all confidential data obtained through the leak immediately after the leak is closed,
• Not use physical security attacks, social engineering, distributed denial of service, spam or third-party applications,
• Provide sufficient information to reproduce the problem so that we can fix it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.

• We will respond to your report within 3 working days with our assessment of the report and an expected date for resolution,
• If you have complied with the above conditions, we will not take any legal action against you regarding the report,
• We will treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible,
• We will keep you informed of the progress in resolving the problem,
• In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise),
• As a thank you for your help, we will offer a reward for each report of a security problem still unknown to us. We determine the size of the reward, based on the severity of the leak and the quality of the report, and it will vary from an honourable mention to a gift.

• Clickjacking
• Denial of Service (DoS)

We aim to solve all problems as soon as possible and we are happy to be involved in any publication about the problem after it is solved.