Responsible disclosure policy

To ensure the daily delivery of thousands of parcels and letters runs smoothly, we pay a great deal of attention to the security of our IT systems. Nevertheless, vulnerabilities can still occur. Have you discovered a weakness in our systems? We kindly ask you to report it to us.

Naturally, we ask that you comply with the rules of responsible disclosure. These are outlined below:

• You do not exploit the vulnerability, for example by viewing, modifying, or deleting personal or confidential data, or by downloading more data than strictly necessary.
• You do not share your findings with others before we have resolved the vulnerability.
• If you have obtained personal or confidential data, you will delete or destroy it as soon as possible (after we have contacted you, of course).
• You do not use your findings to carry out a cyberattack.
• You have not made use of social engineering, distributed denial-of-service (DDoS) attacks, or spam.

If you follow these rules, you do not need to fear that your report will lead to legal action, even if you may have committed an unlawful or criminal act.

Please note: we work together with Zerocopter to assess your report. When submitting a report, you will leave our website.

If you report a vulnerability responsibly, we promise to:

• Respond promptly with our assessment and an expected timeline.
• Treat your report confidentially; you may also report anonymously.
• Keep you informed of progress, if you request this.
• Reward first reporters of medium- and high risk vulnerabilities with goodies and, with consent, a mention in our Hall of Fame.
• Refrain from legal action, provided you have complied with this Responsible Disclosure policy.

We aim to resolve all reports as quickly as possible. If you wish to publish about a vulnerability after it has been fixed, please inform us in advance.

We thank the following persons for their contribution: