Responsible disclosure policy

Together we create a safe PostNL

To ensure the proper delivery of thousands of letters and packages a day, we pay a lot of attention to the cyber security of our IT systems. Unfortunately it’s still possible that there’s a vulnerability somewhere in our system. If you have found such a vulnerability we would like to tackle it together. Maybe you’ll even be honoured in our Hall of Fame!

Have you found a vulnerability?

..then we ask you kindly to follow the rules of the game:

  • Your findings will be examined by Zerocopter. Therefore you’ll need to report your findings on the website of Zerocopter.
  • Do not abuse your findings, for example by downloading more data than is necessary to illustrate the vulnerability, by looking into data of third parties and by deleting or altering these data.
  • Do not share your findings with others until they are solved by us and we have given you permission to do so.
  • Delete and/or destroy the confidential data possibly received as a consequence of the vulnerability, after you have notified us of the vulnerability.
  • Do not use your findings to attack physical security.
  • Do not obtain your findings via social engineering, distributed denial of service or spam.
  • It will be sufficient to inform us of your findings in such a way that we can reproduce them and resolve the issue as soon as possible. Often the IP-address or URL of the affected system and a description of the vulnerability is sufficient. When it comes to more complex vulnerabilities it’s possible that we will need more information from you.

Out-of-scope vulnerabilities:

  • User enumeration without any further impact
  • Clickjacking without a well-defined security/privacy risk on pages with no sensitive actions
  • Denial of service
  • Issues without clear security impact (e.g.: Logged-Out CSRF)
  • CSRF without a demonstrated vulnerability
  • Self XSS or XSS that affects only out-of-date browsers (we require evidence on how the XSS can be used to attack another user)
  • Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure
  • Rate limiting issues that do not have a demonstrable impact
  • Report from automated tools and scans
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)
  • Version exposure (unless you deliver a PoC of working exploit)
  • Directory listing with already public readable content
  • Missing best practices in SSL/TLS configuration

..and if you comply with our rules, we’ll do our share:

  • We will react as soon as possible to your report with our examination of your findings and an expected date of resolution.
  • We will treat your report confidentially and will not share your personal data with third parties unless it is necessary to resolve the vulnerability or if it is necessary to comply with a legal obligation. It is also possible to report your findings anonymously.
  • We will keep you posted on the progress of resolving the vulnerability if you have asked us to do so.
  • We will, for medium and high findings only, reward you with a package of goodies when you’re the first one to report this issue and if your findings have resulted in a fix.
  • We will, for medium and high findings only, honour your name on our Hall of Fame when you’re the first one to report this issue and if your findings have resulted in a fix. We will only do so with your explicit, informed, unambiguous and freely given permission.
  • If your findings on the vulnerability of our system are a consequence of possible criminal or unlawful actions, we will not take legal action against you if you have complied with our conditions specified in this Responsible disclosure policy.

We strive to resolve all reports as soon as possible. If, after the resolution of the vulnerability, you seek publicity or want to publish about it, we request you to discuss this with us and to inform us prior to the publication.

This Responsible Disclosure policy is based on an example of Floor Terra.