Daxis ICT considers the security of websites hosted by us very important. Despite our concern for security, it is possible that a vulnerability is found.
Did you find a weak spot in a website hosted by us? For example, you may have accidentally encountered it during the normal use of this site. You may have even tried your best to find a weak spot. In any case, let us know so that we can take measures as soon as possible.
This is by no means an invitation to extensively scan and test our websites to find weak spots. We’ll do that ourselves.
We are happy to work with you to better protect the security of websites hosted by us. We always take your report seriously if it meets the conditions of our Coordinated Vulnerability Disclosure policy, and investigate any suspected vulnerability.
In our Coordinated Vulnerability Disclosure policy below, we clarify what we ask from you and what we promise if you report a vulnerability to us.
We ask you to:
- email your findings as soon as possible to security@daxis-ict.nl;
- preferably encrypt your e-mail with our PGP key;
- provide enough information to reproduce the problem so that we can resolve it as quickly as possible;
usually the IP address or URL, with a description of the vulnerability is sufficient, but more complex vulnerabilities may require more information; - not conduct tests that exploit attacks against physical security, social engineering, or third-party applications;
- not perform brute force or denial of service;
- not to abuse the vulnerability by, for example, changing or deleting data or installing malware;
- also not to share the problem with others until we have resolved it;
- copy any data from our systems other than absolutely necessary to demonstrate the breach;
- leave contact details (email address and telephone number) so that we can contact you to work together towards a safe result.
We promise to:
- respond to your report within five working days with the assessment of the report and an expected date for a resolution;
- treat your report confidentially: we will not share your personal data without your consent;
exception to this are the police en justice department, in the event of a report or if data is demanded; - keep you informed about the progress in resolving the problem;
- if you wish, mention your name as the discoverer in communications about the reported problem;
- that an accidental discovery of a vulnerability will not lead to a report against you, as long as you play by the rules and behave in the spirit of Coordinated Vulnerability Disclosure.
Exclusions:
Because our time is scarce we ask from you:
- not to report trivial findings for which no exploits are known and/or which result in little or no risk;
- not to blindly report findings of automated vulnerability scanning tools. Do not copy and paste findings into an email.
Below are some examples of findings that you do not have to report to us. If you report them anyway, we may not respond to your e-mail.
- Vulnerabilities on domains other than those hosted by Daxis ICT;
- Header information disclosures;
- SSRF vulnerability (This is not a vulnerability but deliberate functionality that is necessary for the proper functioning of the website.);
- Publicly accessible files or folders containing non-sensitive information (such as robots.txt or images);
- Missing standards that Internet.nl does not promote (such as MTA-STS);
- Alleged deviations that do meet the test standard used by Internet.nl (such as for security headers).