Responsible Disclosure

At CCV Group we take the security of our systems seriously. Despite our efforts to strengthen the security of our systems, it may be that there is a weakness. 

If you have found a weakness in one of our systems, we would like to be informed so we can take action as soon as possible. We like to work together with you to better protect our customers and our systems.

What we ask you:

  • Email your findings to security@ccv.eu. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands.
  • Do not abuse the problem by downloading more data than necessary to detect the leak or to check, remove, or modify third-party data;
  • Do not share the problem with others until it is resolved and erase all confidential data obtained through the leak immediately after remediation of the problem;
  • Do not use attacks on our physical security, social engineering, distributed denial or service attacks, spam or third-party applications, and
  • Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a vulnerability description are sufficient, but for more complicated vulnerabilities more detailed information may be needed.

What we promise:

  • Within 3 days, we will respond to your notification with our review of your finding and an expected date for a solution;
  • If you have met the above terms, we will not take legal action regarding the notification;
  • We treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
  • We will keep you posted on the progress of solving the problem;
  • In reporting about the reported problem we will, if you wish, mention your name as the discoverer, and
  • As a thank you for your help, we offer a reward for any notification of an unknown security issue. We determine the size of the reward based on the severity of the leak and the quality of the notification with a voucher of € 50 at a minimum.

We strive to resolve all issues as quickly as possible and we are happy to be involved in any publication about the problem after it has been resolved.

Plain text iconccv-pgpkey.txt