Skip to content
Exonet

Security

Coordinated Vulnerability Disclosure

This Coordinated Vulnerability Disclosure policy was last changed on 5 february 2025

At Exonet, we highly value the security of our equipment, systems, software, and data. Despite our efforts to ensure security, vulnerabilities may still be present. If you discover a security weakness in one of our systems, we appreciate your help in improving our security.

We aim to collaborate in protecting our systems and customers. Therefore, we kindly ask you to report any vulnerabilities in a responsible manner.

Not for abuse reports

This procedure is strictly for reporting security vulnerabilities. Abuse-related matters, such as copyright infringement, illegal content, or other Materials as mentioned in our General Terms and Conditions (Article 6.2), do not fall under this policy. For our Notice & Takedown procedure, please refer to our General Terms and Conditions (Article 7) or contact us at abuse@exonet.nl.

What we ask from you

  • Email your findings to security@exonet.nl. Encrypt your findings using our PGP-key to prevent the information from falling into the
    wrong hands,
  • Do not exploit the issue by, for example, downloading more data than necessary to demonstrate the vulnerability or by accessing,
    deleting, or modifying third-party data,
  • Do not share the issue with others until it has been resolved, and delete all confidential information obtained through the
    vulnerability immediately after the issue has been fixed,
  • Do not use attacks on physical security, social engineering, distributed denial-of-service (DDoS), spam, or third-party applications,
    and
  • Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Typically, the IP address or
    URL of the affected system and a description of the vulnerability are sufficient, but more details may be required for complex
    vulnerabilities.

What can you expect from us?

  • We will respond to your report within five days with our assessment and an estimated resolution date,
  • If you adhere to the above conditions, we will not take legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal information with third parties without your permission
    unless legally required. Reporting under a pseudonym is possible,
  • We will keep you informed about the progress of resolving the issue,
  • If desired, we will credit you as the discoverer of the vulnerability in public communications about the reported issue, and
  • As a token of appreciation, we may offer a reward if the reported vulnerability is previously unknown to us and assessed as highrisk.

Out-of-scope

There may be known vulnerabilities and security issues that fall outside this policy. This does not mean they should not be addressed, but our CVD process focuses on reporting issues that can be directly exploited. For example, a vulnerability with a working exploit or a misconfiguration that allows bypassing an existing security control. The severity of the vulnerability and the quality of the report will always be considered.

Final note

We strive to resolve vulnerabilities as quickly as possible. If you are considering publishing your findings after the issue has been resolved, we would appreciate discussing this with you. Together, we can create a safer digital environment. Thank you!

With thanks to Floor Terra for his example text on responsibledisclosure.nl.