Bug Bounty Program Rules

How do i report a bug?

You can report a bug via the contact form on this page. Always remember the following points:

  • Share as much information as possible so that we better understand the vulnerability and can resolve it as quickly as possible;
  • Your contact details are requested so that we can ask any questions about the report;
  • Share the finding as soon as possible after discovering the vulnerability;
  • If you have found a vulnerability or bug, we ask you not to take any further action than necessary.

Once we have received the message, you can expect a response from us within 24 hours. Files such as photos and videos can be shared via a secure page. When reporting, we ask that you do not reveal the problem and give us time to resolve the problem.

What other rules apply?

Good rules prevent unnecessary discussion! The simplest rule is that the bug must not yet be known to us (duh…). If multiple people report the same bug, the reward goes to the first reporter. In addition, the following specific conditions apply:

  • When demonstrating a bug, we ask you to be responsible with the knowledge of the bug and any data that has been released;
  • Your research should never lead to personal information being made public;
  • Do not share information about the security issue with others until it has been resolved;
  • Your research may not be achieved through social engineering;
  • The use of brute force techniques is not permitted;
  • It is not permitted to place backdoors on our system during your research;
  • It is not permitted to delete, change or copy data from the system;
  • It is not allowed to make system changes;
  • The research must not hinder the progress of our services;
  • And of course no damage may be caused.

Can I participate anonymously?

Yes, we will never share your data with external parties, but of course we must be able to maintain contact with you. If the problem is of such a magnitude that we engage an external agency, we can ask you if we can share your data with them.

Laws and regulations

When investigating or reporting bugs, always pay attention to our rules and the applicable laws and regulations! By reporting the vulnerability before you make it known to the outside world, you enable Eerlijk Bieden to take measures first. This is called Coordinated Vulnerability Disclosure (formerly Responsible Disclosure). Eerlijk Bieden follows the Dutch central government’s policy in this respect.