Responsible Disclosure

CloudSphere finds it essential that ICT systems are secure and strives for high security. However, it can happen that there is a weak spot in one of these systems.

Vulnerabilities in CloudSphere ICT systems
If you have found a weak spot in one of CloudSphere's ICT systems, we would like to hear from you. This way, we can take the necessary measures as soon as possible to fix the found vulnerability. To responsibly handle found vulnerabilities in ICT systems, there are agreements. You can hold CloudSphere to these agreements when you find a weak spot in one of the systems.

CloudSphere asks you to:
Email your findings to [email protected].

Provide sufficient information to reproduce the problem so that CloudSphere can solve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more may be needed for complex vulnerabilities.

Leave contact details so that CloudSphere can contact you to work together on a secure result. Leave at least an email address or phone number.

Report the vulnerability as soon as possible after discovery.

Not share information about the security problem with others until it is resolved.

Handle the knowledge about the security problem responsibly by not performing actions that go beyond what is necessary to demonstrate the security problem.

Avoid the following actions:
Placing malware
Copying, modifying, or deleting data in a system (an alternative is to make a directory listing of a system).

Making changes to the system.

Repeatedly accessing the system or sharing access with others.

Using brute force to access systems.

Using denial-of-service or social engineering.

What you can expect:

If you meet the above conditions when reporting a vulnerability in a CloudSphere ICT system, CloudSphere will not attach legal consequences to this report.

• CloudSphere treats a report confidentially and does not share personal data with third parties without the reporter's consent, unless required by law or court order.
• In mutual consultation, CloudSphere can, if you wish, mention your name as the discoverer of the reported vulnerability.
• CloudSphere will send you an acknowledgment of receipt within one working day.
• CloudSphere will respond to a report within three working days with an assessment of the report and an expected date for a solution.
• CloudSphere will keep the reporter informed of the progress of solving the problem.
• CloudSphere will solve the security problem you reported in a system as quickly as possible, but no later than 60 days. In mutual consultation, it can be determined whether and how the problem will be published after it is resolved.
• CloudSphere offers a reward as a thank you for the help. Depending on the severity of the security problem and the quality of the report, this reward can vary from a minimum of 50 to a maximum of 1000 euros. This must be an unknown and serious security problem for CloudSphere.
• Vulnerabilities in third-party ICT systems
• CloudSphere would also like to hear from you if you have found a weak spot in a government system or a system with a vital function. For systems of other owners/managers or suppliers, you should first contact the organization itself. If the organization does not respond or does not respond well, you can inform CloudSphere. CloudSphere will then act as an intermediary to achieve a result together.

For reports about third-party systems:

• CloudSphere will respond to a report within three working days by contacting the owner and giving you a response.
• The owner is primarily responsible for keeping the reporter informed of the progress of solving the problem.
• CloudSphere will help the owner with advice so that the security problem can be resolved as quickly as possible.
• CloudSphere asks you to inform us if and how there has already been contact with the organization.