Responsible Disclosure Policy

At Underlined we consider the security of our systems very important. Despite our concern for the security of our systems, it is possible that there is a weak spot. If you have found a weak spot in one of our systems, we would like to hear about it. We can then take measures as quickly as possible. We would like to work with you to better protect our systems.

1. If you notice a possible weak spot in the systems of Underlined, we ask you to email your findings to security@underlined.nl by means of a detailed explanation of the weak spot.

2. Describe the issue found in as much detail as possible. Your report will be handled by specialists; you can use technical jargon where necessary or desired. We ask you not to abuse the weak spot by, for example, downloading more data than is necessary to demonstrate the leak or to view, delete or modify data from third parties.

3. You can choose to add your contact details (name, e-mail address and telephone number) or you can make the report anonymously.

4. A team of security experts will investigate your report and provide an initial response within 10 working days. In the meantime, don’t make the problem public, talk to our experts, and give them time to solve the problem. We will let you know what we think of your report, whether we will implement a solution and when we will do so.

When investigating the vulnerability you found, you may be committing criminal acts. If you have acted in good faith, carefully and in accordance with the rules set out below, Underlined has no reason to report. Therefore, please adhere to the following rules when conducting research.

Rules when conducting research:

Make sure that you do not cause any damage with the found vulnerability. Under no circumstances may your actions lead to an intentional interruption of the service or to the disclosure of the Underlined data or its relations/customers.

Do not use social engineering to gain access to a system.

Do not place a backdoor in an information system and then use it to demonstrate the vulnerability, as this can cause additional damage and lead to unnecessary security risks.

Make minimal use of a vulnerability, only do what is necessary to determine the vulnerability.

Do not change or remove any data from the system and be as restrained as possible in copying data (if one record is enough to show the problem, do not proceed).

Do not make any system changes.

Do not repeatedly attempt to access the system and do not share access with others.

Do not use brute force to gain access to systems. After all, there is no question of a vulnerability, but only of repeatedly trying passwords.

The hotline is not intended for:

Submitting complaints about the service.

Making fraud reports and/or suspected fraud reports of fake e-mails or phishing e-mails.

Report viruses.

Submitting complaints or questions about the availability of the website.

Your privacy

To follow up on the report, you can choose to provide us with your contact details (name, e-mail, and telephone number). We will not disclose your identity to third parties without your consent or use your data for purposes other than to provide appropriate follow-up to your report, unless there is a legal obligation to do so, for example in the event of a claim by the judiciary. We handle your personal data according to the guidelines as described in our privacy statement.

Other conditions

With regard to internet security and privacy, Dutch legislation applies. We can only accept reports that have been drawn up in Dutch or English. This responsible disclosure regulation has been established based on the guidelines of the National Cyber Security Center.