1. Reporting a Vulnerability

If you discover a weakness (vulnerability) on our website or in an IT system of AppSys ICT Group, please report it. AppSys ICT Group will review the problem and resolve it as soon as possible. This helps us protect our data and systems even better. This method of collaboration is called Coordinated Vulnerability Disclosure (CVD).

AppSys ICT Group secures the data on its website and in IT systems with care. However, weak spots may exist. Cybercriminals can exploit these by breaking into the system and changing or stealing data for criminal activities. By reporting these weak spots, you help us keep the data safe.


2. Scope

In principle, all assets (websites, domains, IP addresses) belonging to AppSys ICT Group are in scope.


3. Which vulnerabilities are in scope?

In principle, all types of vulnerabilities are in scope, as long as they impact the security of AppSys ICT Group's services. Privacy is also included.


4. Reporting

  • Report the weak spot you have discovered as soon as possible via the form.
  • Note: if you report anonymously, AppSys ICT Group cannot contact you.
  • Provide sufficient information so that AppSys ICT Group can review (reproduce) the problem and resolve it as soon as possible. Usually, the IP address or URL of the vulnerable system and a description of the weak spot is sufficient. For more complex vulnerabilities, more information is often needed.
  • Do not exploit the weak spot. For example, do not view other people's data. Also, do not delete or change other people's data. If you download data, do not download more than necessary to demonstrate the weak spot.
  • Do not share the problem with others until AppSys ICT Group has resolved the issue.
  • Delete all confidential data you have downloaded after AppSys ICT Group has resolved the issue. Do not share this data with others.
  • Do not use:
    • Techniques that endanger the services of AppSys ICT Group.
    • Attacks on physical security, such as gates and locks.
    • Psychological manipulation (social engineering).
    • Attacks with many login attempts (brute-force attacks).
    • Spam.

5. After Reporting

AppSys ICT Group:

  • Will respond within 10 working days to your report with an assessment and an expected date for a resolution.
  • Will keep you informed about the progress of resolving the issue.
  • Will not take legal action against you regarding the report, provided you have adhered to the conditions.
  • Will treat your report confidentially and will not share your personal data with third parties without your permission, except if AppSys ICT Group is legally obliged to share your personal data. You may report under a pseudonym.
  • May offer a reward as a thank you for your help. AppSys ICT Group will determine this per report. The amount of the reward mainly depends on the severity of the vulnerability and the quality of your report.

AppSys ICT Group aims to resolve all issues as quickly as possible and to inform all involved parties. We appreciate being informed if the resolved issue is published.