ennlbe-nlSlimme software voor kwalitatief goede zorg van mens tot mens.
Vraag een demo aan

At Zenya / Infoland, we consider the security of our systems a top priority. But no matter how much effort we put into security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

What you do not need to report (out of scope)

Zenya does not accept reports of minor vulnerabilities or security issues that cannot be exploited. Below you can find examples of known vulnerabilities and security issues that are not covered by our scheme.

This does not imply that these issues should be ignored. However, our Coordinated Vulnerability Disclosure (CVD) process is designed for reports of issues that can be directly exploited, such as a vulnerability with an existing exploit or a misconfiguration that allows bypassing a security measure.

We will review all reports and may classify them as ‘out of scope’ if they do not pose a significant risk.

Examples:

  • Simple fingerprinting or version listings on OS, services or ports
  • Registered public IP addresses
  • Incomplete or missing SPF, DKIM or DMARC records
  • Outdated versions without proof-of-concept or working exploit
  • E-mail addresses found at a third party data breach
  • Cosmetical level issues, i.e. this does not look good in browser A.
  • Public files or directories that do not contain confidential information
  • Missing security headers, options and flags
  • URL redirection (to a valid webpage)
  • TLS misconfiguration without a proof of concept to exploit the weakness
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injections in these pages
  • Clickjacking, vulnerabilities that can only be exploited through clickjacking
  • Resource exhaustion / (Distributed) Denial of Service.
  • Situations that cannot be reproduced; Exploits that are not validated with a second tool/method, i.e. wrong result in tool A, right result in tool B
  • Rate-limiting with no apparent impact
  • Services running at third party service providers (verify their responsible disclosure statement on beforehand)

There are also problems that we are already aware of, and we are working on or that we recognize as accepted risks. As a result, the issue will not be dealt with.

How to report a vulnerability

  • You can submit your findings through our Coordinated Vulnerability Disclosure form.
  • Include as much information as possible, this can help us fix the issue. Ideally include:
    • A detailed description of the vulnerability (complete with IP addresses, logs, screenshots, etc)
    • Steps to reproduce the issue.
    • Any potential impact of the vulnerability.
  • Include your contact information, we only need an e-mail address so we can contact you if we have any questions.

Ensure that you:

  • Report the vulnerability as soon as possible after discovering it.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying data.
  • Provide us with a reasonable amount of time to address the issue; don’t reveal the problem to others until it has been resolved.

What must you not do?

You must never perform the following actions:

  • Introduce malware into the system.
  • Copy, edit or delete data in the system.
  • Make changes to the system.
  • Repeatedly access the system or share access to the system with others.
  • Perform brute-force attacks to gain access to a system.
  • Perform denial-of-service attacks or social engineering.

Our commitment

  • Acknowledging your report within 5 business days.
  • Providing you with an estimated timeline for addressing the vulnerability.
  • Keeping you informed of the progress and status of your report.
  • Notifying you when the vulnerability has been resolved and whether and in what way to publish details of the problem and its resolution.
  • Depending on the severity of the security problem and the quality of the report Zenya will offer a reward to thank you for your help. To be eligible for a reward, the report must concern a serious security problem that is yet unknown to us.

Your privacy

We will use your personal data only to act regarding your report. We will not share your personal data with others without your permission, unless legally required to do so. We will anonymize your personal data 2 years after closing the report.