Vulnerability report

1. Policy scope

Because of the desire to improve the performance and security of our websites, Vanbreda Risk & Benefits (VRB) has decided to implement a coordinated vulnerability disclosure policy. This enables outside participants who have good intentions to identify possible vulnerabilities and/or provide VRB with useful information.

Access to VRB websites and IT systems within the framework of this policy is granted only to persons whose intention is to improve their security, to inform us of existing vulnerabilities, and in strict compliance with the other conditions set out in this document.

Participants are also authorised to attempt to enter IT data into the IT system concerned, subject to the purposes and conditions of this policy.

Our policy relates to security vulnerabilities that could be abused by third parties or interfere with the proper functioning of our products, services, network or IT systems. Systems dependent on third parties are outside the scope of this policy, unless these third parties explicitly agree in advance to these rules.

List of the websites within the scope of this policy:

  • http(s)://*.vanbreda-digital.be

  • http(s)://*.myvanbreda.be

  • http(s)://*.vanbreda.be

  • http(s)://*.vanbreda.com

  • http(s)://*.vanbreda-health.be

  • http(s)://*.justitia.be

  • http(s)://*.artsecure.be

  • -http(s)://*.jobsatvanbreda.be

  • -http(s)://*.vanbreda-huysmans.be

  • -http(s)://*.vanbreda-missinne.be

  • -http(s)://*.vanbreda-ausloos.be

  • -http(s)://*.vanbreda-geerts.be

  • -http(s)://*.vanbreda-cornelis.be

  • -http(s)://*.vanbreda-medius.be

  • -http(s)://*.vanbreda-soenen.be

  • -http(s)://*.ambuflex.be


List of IP subnets within the scope of this policy:

  • 193.108.201.0/24

  • 52.157.255.80/28

  • 20.76.35.128/28

  • 20.103.139.80/28

  • 185.143.188.0/22

If you have any questions about the scope of this policy, please contact VRB’s security team (security[at]vanbreda.be)

1.1 Mutual obligations of the parties

1.1.1 Proportionality

Participants undertake to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to exploit vulnerabilities beyond what is strictly necessary to demonstrate the security issue. Their approach must remain proportionate: if the safety problem has been demonstrated on a small scale, no further action should be taken.

1.1.2 Actions that are not allowed

Participants are not permitted to take the following actions:

  • copying or altering data from the IT system or deleting data from that system;

  • changing the IT system parameters;

  • installing malware: viruses, worms, Trojan horses, etc.;

  • Distributed Denial of Service (DDOS) attacks;

  • social engineering attacks;

  • phishing attacks;

  • spamming;

  • stealing passwords or brute force attacks;

  • installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;

  • the intentional interception, storage or receipt of communications not accessible to the public or of electronic communications;

  • the deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an IT system where the participant should reasonably have known it had been obtained unlawfully.

1.2 Confidentiality

Under no circumstances may participants share any information collected under this policy without our prior and express consent with third parties or disseminate this information to third parties.

Nor is it permitted to communicate IT data, communication data or personal data to third parties or to distribute this data to third parties.

Our policy is not intended to allow the deliberate disclosure of the content of IT data, communication data or personal data, and such disclosure may only occur by accident in the context of the detection of vulnerabilities.

If participants enlist assistance from a third party to perform their test, they shall ensure that the third party is aware of this policy in advance and agrees to comply with the terms of the policy, including confidentiality, when providing assistance.

1.3 Bona fide execution

VRB undertakes to implement this policy in good faith and not to bring civil or criminal proceedings against any participant who strictly complies with its terms and conditions and who has not intentionally caused harm to the IT systems concerned.

There can be no fraudulent intent, intent to harm, or desire to use or cause harm to the visited system or its data on the part of the participant.

In case participants are in doubt about certain conditions of our policy, they must consult our point of contact in advance and must act in accordance with the written answer they receive.

1.4 Processing of personal data

A coordinated disclosure policy is not intended to primarily and intentionally process personal data. Unless it is necessary to prove the existence of a vulnerability, participants are not allowed to consult, retrieve or store personal data.

However, participants may, even by accident, get access to personal data that is stored, processed or transmitted in the IT system concerned. It may also be necessary for the participant to temporarily consult, retrieve or use personal data in the context of vulnerability detection. In this case, participants must also notify VRB’s Data Protection Officer: dpo[at]vanbreda.be.

When processing such data, participants undertake to comply with the legal obligations concerning the protection of personal data [1] and to comply with the terms of this policy.

The processing of personal data for purposes other than the detection of vulnerabilities in VRB’s systems, equipment or products is not allowed.

Participants may not store any personal data processed for longer than is necessary. During this period, participants must ensure that this information is stored with a level of protection that is proportionate to the risks (preferably encrypted). After being used for the purpose of the policy, this data must be deleted immediately.

Finally, participants must inform us of any loss of personal data as soon as possible after becoming aware of it.

[1] Regulation No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).


2. How to report security vulnerabilities

2.1 Point of contact

You must send the information discovered only to the following e-mail address: security[at]vanbreda.be

and/or fill in the following form:

The completed form must be sent in Word or PDF format (no scans) and protected with a password or zip format (to avoid blocks by our security measures).

We would ask you (where possible) to use the following secure means of communication:

PGP Key ID: 51A2 8D37 9D1C 1DC9

Type: RSA-4096 Key

Fingerprint: 1C7F 6903 1FC8 653E 923D A54C 51A2 8D37 9D1C 1DC9

Please use a password to secure the form, which may be communicated to us by e-mail or another means of communication (telephone).

You can also contact VRB on the following telephone number:

+32 (0)3 217 67 67 (VRB Antwerp headquarters) and ask for the Information Security Officer.

Information to be provided

Please send us the related information as soon as possible after your discovery. Provide us with sufficient information so that we can reproduce the problem and solve it as quickly as possible.

Please provide us this information in Dutch or English.

Please use Annex : Form to report vulnerabilities as a template.

3 Procedure

3.1 Notification

Participants undertake to notify the point of contact or the coordinator referred to in point 2 of this policy as soon as possible about information on any vulnerabilities. Participants must use the secure means of communication mentioned.

After receiving a notification, VRB undertakes to send the participant a confirmation of receipt, within a reasonable period of time, containing a reminder of the obligation of confidentiality and the next steps in the procedure.

If participants do not receive a confirmation of receipt within a reasonable period of time, they may contact VRB's Data Protection Officer (dpo [at]vanbreda.be) so this representative can contact VRB's security team.

3.2 Communication

The parties undertake to do their utmost to ensure permanent and effective communication. After all, the information provided by participants may be very useful in identifying a vulnerability and resolving it.

3.3 Analysis

During the analysis phase, VRB will reproduce the environment and the vulnerability identified, to check the information provided.

VRB undertakes to keep participants regularly informed of the results of its analysis and of the action taken based on their notification.

In the course of this program, parties are required to link to similar or related notifications, assess the risk and severity of the vulnerability and to identify any other affected products or systems.

3.4 Developing a solution

The goal of the disclosure policy is to enable the development of a solution to eliminate the vulnerability from the IT system before harm is done.

Where possible and taking into account costs and existing knowledge, VRB will try to develop a solution with its subcontractors as soon as possible, depending on the severity of the risks for the users of the systems concerned.

At this stage, VRB and its subcontractors undertake to carry out, on the one hand, positive tests to check that the solution is working properly and, on the other hand, negative tests to ensure that the solution does not interfere with the proper functioning of the other existing features.

3.5 Rewarding a disclosure

VRB undertakes to reward participants who report vulnerabilities in a manner that adheres to this framework. Rewards are proportional to the severity of the vulnerability reported.

Vulnerabilities are classified according to their impact on the confidentiality, integrity and availability off VRB’s services, IT systems and data.
The table below provides more insight on our severity model and associated rewards.

Confidentiality

Integrity

Availability

Websites

50€ –500€

100€ -500€

50€ -250€

IT systems

250€ -5000€

250€ -5000€

100€ -5000€

Data

250€ -5000€

250€ -5000€

100€ -5000€


Depending on severity, VRB’s internal security team will asses the vulnerability for estimated impact. We will use the number of possibly impacted users as guidelines for rating the impact of the vulnerability.

Disclosures are only rewarded if the issue was not known by VRB

3.6 Possible publication

VRB will decide, in consultation with the participant, how the existence of the vulnerability may be published. At the same time as this disclosure, a security notice will be published on VRB’s website (or via e-mail), in a system update notice for users.

VRB also undertakes to collect users' comments on the application of the solution and to take the necessary corrective action to resolve any problems caused by the solution, including those relating to compatibility with other products or services.

3.7 Applicable law

Belgian law shall apply to any disputes relating to the application of this policy.


3.8 Duration

The rules of the policy apply from 1 january 2023 until such time they are amended or annulled by VRB. Any such amendments or annulments will be published on VRB website and will automatically enter into force 30 days after their publication.

Annex 1: Form to report vulnerabilities

Download form