Responsible disclosure policy

Version 1.0, 23-07-2020

At Thalia, we take security of our infrastructure and digital systems seriously. We develop, build and deploy all systems with security in mind. However, we can never be 100% secure and vulnerabilities will, unfortunately, present themselves. If you find a (potential) vulnerability or security issue, we would appreciate it if you inform us as soon as possible.

We ask you to

  • send any and all reports about potential security issues to www@thalia.nu (in either English or Dutch).
  • notify us as soon as possible about any potential security issue.
  • give detailed reports of your findings to help us identify the underlying problem.
  • only exploit vulnerabilities to confirm their presence.
  • not use social engineering, physical attacks, (distributed) denial of service or spam attacks against any of our systems.
  • not share your report with anybody else until the problem has been fixed.
  • involve us if you want to publish your report once it has been fixed.
  • respect the privacy of our members.

We promise you to

  • take your reports seriously.
  • respond to your reports as soon as possible.
  • solve the issue as soon as possible.
  • respect your privacy and will treat your reports confidentially.
  • keep you up to date and work with you to solve the underlying problem.
  • credit you in any internal and external announcements (with your permission).
  • not take any legal action if you followed the above guidelines.
  • reward you as Thalia sees fit.