To ensure the proper delivery of thousands of letters and packages a day, we pay a lot of attention to the cyber security of our IT systems. Unfortunately it’s still possible that there’s a vulnerability somewhere in our system.

If you have found such a vulnerability we would like to tackle it together. Maybe you’ll even be honoured in our Hall of Fame!

Have you found a vulnerability?

..then we ask you kindly to follow the rules of the game:

  • Your findings will be examined by Zerocopter. Therefore you’ll need to report your findings on the website of Zerocopter.
  • Do not abuse your findings, for example by downloading more data than is necessary to illustrate the vulnerability, by looking into data of third parties and by deleting or altering these data.
  • Do not share your findings with others until they are solved by us and we have given you permission to do so.
  • Delete and/or destroy the confidential data possibly received as a consequence of the vulnerability, after you have notified us of the vulnerability.
  • Do not use your findings to attack physical security.
  • Do not obtain your findings via social engineering, distributed denial of service or spam.
  • It will be sufficient to inform us of your findings in such a way that we can reproduce them and resolve the issue as soon as possible. Often the IP-address or URL of the affected system and a description of the vulnerability is sufficient. When it comes to more complex vulnerabilities it’s possible that we will need more information from you.

Report your findings

..and if you comply with our rules, we’ll do our share:

  • We will react as soon as possible to your report with our examination of your findings and an expected date of resolution.
  • We will treat your report confidentially and will not share your personal data with third parties unless it is necessary to resolve the vulnerability or if it is necessary to comply with a legal obligation. It is also possible to report your findings anonymously.
  • We will keep you posted on the progress of resolving the vulnerability if you have asked us to do so.
  • We will reward you with a package of goodies when you’re the first one to report this issue and if your findings have resulted in a fix.
  • We will honour your name on our Hall of Fame when you’re the first one to report this issue and if your findings have resulted in a fix. We will only do so with your explicit, informed, unambiguous and freely given permission.
  • If your findings on the vulnerability of our system are a consequence of possible criminal or unlawful actions, we will not take legal action against you if you have complied with our conditions specified in this Responsible disclosure policy.

We strive to resolve all reports as soon as possible. If, after the resolution of the vulnerability, you seek publicity or want to publish about it, we request you to discuss this with us and to inform us prior to the publication.

This Responsible Disclosure policy is based on an example of Floor Terra.