Security.txt Policy

How to  report security vulnerability?

Contact report-a-security-issue to report other issues including:

• A non-exploitable vulnerability , description of the vulnerability proof of concept and remediation
• Something you think could be improved - for example, missing security headers
• TLS configuration weaknesses - for example weak cipher suite support or the presence of TLS1.0 support

After you’ve reported the vulnerability

• You’ll get updates on the progress fixing the vulnerability. We currently don’t run Bounty Program.
• You’ll get confirmation that we have received your report within 5 working days. We’ll try to assess your report within 10 working days. We prioritise fixes by impact, severity and exploit complexity.
• Once the vulnerability has been fixed, we will inform you

What are your obligations in the context of the search for and reporting of a vulnerability?

• You must limit yourself strictly to the facts necessary to report a vulnerability. Thus, you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability
• You must act without fraudulent intent or design to harm,  you may not attempt to monetize the information discovered to the responsible organization or to third parties
• As soon as possible after the discovery of the potential vulnerability you must report it on Bekaert Portal mentioned in previous guideline
• You must as soon as possible report the discovered vulnerability ,in writing and according to the procedures described below
• You must not publicly disclose information about the discovered vulnerability without the agreement

Investigating and reporting vulnerabilities

• When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Bekaert
• If you have found a security vulnerability, please submit your report through the form available on the link provided in security.txt. Please be succinct: your report is triaged by security engineers and a short proof-of-concept link is more valuable than a video explaining the consequences of any vulnerability. Note that we are only able to answer to technical vulnerability reports. 

Proportionality and necessity of actions

Participants are not permitted to take the following actions:

• copying or altering data from the IT system or deleting data from that system;
• changing the IT system parameters;
• installing malware: viruses, worms, Trojan horses, etc.;
• Distributed Denial of Service (DDOS) attacks;
• social engineering attacks;
• phishing attacks;
• spamming;
• stealing passwords or brute force attacks;
• Putting information in darkweb
• installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;
• the intentional interception, storage or receipt of communications not accessible to the public or of electronic communications;
• the deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an IT system where the participant should reasonably have known it had been obtained unlawfully.
• the realization of a foreseeable damage to the visited system or its data;
• all other offences (e.g. burglary, theft, assault, blackmail etc.). 

Your actions must be strictly limited to the facts that are necessary to allow the research and the reporting of a vulnerability of a network and information system.

The following may be considered as such facts:

• unauthorized access or attempted access to a computer system
• exceeding or attempting to exceed an authorization to access a computer system
• taking over or copying computer data
• the development or possession of hacking tools
• possession, disclosure, use or disclosure of information obtained through unauthorized access - for example, information available on the Internet
• introduction or modification of data in a computer system
• interception or attempted interception of communications
• the violation of an obligation of professional secrecy or a contractual obligation of confidentiality

Personal Data

• During your research and reporting of a vulnerability, you may encounter personal data. 
• The processing of personal data is broad in scope and includes the storage, modification, retrieval, consultation, use or disclosure of any information that may relate to an identified or identifiable natural person. The "identifiable" character of the person does not depend on the simple will of the data processor to identify the person but on the possibility to identify, directly or indirectly, the person with the help of these data (for example: an email address, identification number, online identifier, IP address or location data). 
• In this case, make sure that you comply with your obligations regarding the protection of personal data (GDPR) as a data controller. 
• Respecting the principles of necessity and proportionality, you must limit to the strict minimum the possible processing of such data and exclude their use for other purposes than demonstrating the existence of a vulnerability, demonstrating the reality of your actions and communicating this information to us. Where the demonstration of a vulnerability is possible with some personal data, not all accessible data need be processed or retained.
• You must ensure that the data you may have to process is kept with a level of security appropriate to the risks involved (preferably encrypted and anonymized) and that this data is deleted immediately after the end of the processing (until the end of the reporting procedure or, in the event of a challenge or legal proceedings, until the end of the proceedings). 
• You must also inform the responsible organization and the Data Protection Authority (DPA), as soon as possible and no later than 72 hours after becoming aware of it, of the possible loss of this data which could create a risk for the rights and freedoms of the physical persons of the data subjects