Responsible Disclosure

The security of this website is very important to CCV Group. In spite of our care to strengthen the security of our information systems, it is still possible that there are vulnerabilities in our website.

We value the assistance of security researchers and others in the security community to improve the security of our website. We like to work together with you to better protect our customers and our website.

What we ask you:

  • Email your findings to security@ccv.eu. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands.
  • Do not abuse the problem by downloading more data than necessary to detect the leak or to check, remove, or modify third-party data;
  • Do not share the problem with others until it is resolved and erase all confidential data obtained through the leak immediately after remediation of the problem;
  • Do not use attacks on our physical security, social engineering, distributed denial or service attacks, spam or third-party applications, and
  • Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a vulnerability description are sufficient, but for more complicated vulnerabilities more detailed information may be needed.

What we promise:

  • Within 5 days, we will respond to your notification;
  • Wait until notified that the vulnerability has been resolved before disclosing it;
  • If you have met the above terms, we will not take legal action regarding the notification;
  • We treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
  • We offer a reward for any notification that we qualify as a vulnerability. We determine the size of the reward based on the severity of the leak and the quality of the notification with a voucher of € 50 at a minimum.

Qualifying vulnerabilities

We defined qualified vulnerabilities as follow: Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues and privilege escalation. These qualify vulnerabilities must have an impact on the security of the web application and an increased risk for our customers. You must be the first researcher to responsibly disclose the vulnerability.

Each submission will be evaluated on a case-by-case basis, here is a list of some of the issues which don’t qualify as security vulnerabilities:

  • Reports of old software versions;
  • Missing best practices;
  • Using components of known vulnerability without relevant POC of attack;
  • Automated tool scan reports. Example: Web, SSL/TLS scan, Nmap scan results etc.;
  • Self-XSS and XSS that affects only outdated browsers;
  • UI and UX bugs and spelling mistakes;
  • TLS/SSL related issues;
  • SPF, DMARC, DKIM configurations;
  • Vulnerabilities due to out of date browsers or plugins;
  • Content-Security Policies (CSP);
  • Vulnerabilities in end of life products;
  • Lack of secure flag on cookies;
  • Username enumeration;
  • Vulnerabilities relying on the existence of plugins such as Flash;
  • Flaws affecting the users of out-of-date browsers and plugins;
  • Security headers missing such as, but not limited to "content-type-options", "X-XSS-Protection";
  • CAPTCHAs missing as a Security protection mechanism;
  • Issues that involve a malicious installed application on the device;
  • Vulnerabilities requiring a jailbroken device;
  • Vulnerabilities requiring a physical access to mobile devices;
  • Use of a known-vulnerable library without proof of exploitability;
  • Click/Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element;
  • Host header and banner grabbing issues;
  • Denial of Service attacks and Distributed Denial of Service attacks;
  • Rate limiting, brute force attack;
  • Login/logout/low-business impact CSRF;
  • Unrestricted file upload;
  • Session fixation and session timeout;
  • Formula/CSV Injection. 

Plain text iconccv-pgpkey.txt