! This version of Internet Explorer is not supported anymore !

We recommend to visit our website with another browser (Microsoft Edge, Chrome, Firefox, ...)

CVDP - coordinated vulnerability disclosure policy

- Version December 2024 –

Introduction

At Niko NV and its affiliated entities (hereinafter referred to as "we" or "us"), the security of our information, products and systems is very important to us. Despite our concern for its security, it is possible that there is still a vulnerability.

If you have found a vulnerability in one of our systems, we would like to hear about it so that we can take measures as soon as possible. We would like to work with you to better protect our customers and our systems.

That is why we have opted for a policy of coordinated disclosure of vulnerabilities (the "coordinated vulnerability disclosure policy"), so that you can inform us when you discover a vulnerability. This coordinated vulnerability disclosure policy applies to all our systems and products. If you have any doubts, we ask you to contact us to obtain clarity via infosec@niko.eu.

1. What we ask of you

  • 1.1. If you discover a vulnerability in one of our systems, we ask you:
    • a) Email your findings to infosec@niko.eu. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands;
    • b) Not to abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak or to view, delete or modify data from third parties;
    • c) Not to share the problem with others until it has been resolved and to delete all confidential data obtained through the leak immediately after the leak has been closed;
    • d) Not to use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications; and
    • e) Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more complex vulnerabilities may require more.

2. Rules you must follow

  • 2.1. Participants in this coordinated vulnerability disclosure policy may not perform the following actions:
    • a) Copying or modifying data from the product or system or deleting data from that system;
    • b) Changing the parameters of the product or system;
    • c) Installing malware: viruses, worms, trojans, etc.;
    • d) Distributed Denial of Service (DDOS) attack;
    • e) Social engineering attacks, phishing attacks or spamming;
    • f) Stealing passwords or brute force attacks;
    • g) Installing a device to intercept, store or learn about (electronic) communications that are not accessible to the public;
    • h) Intentionally intercepting, storing or receiving communications that are not publicly accessible or electronic communications;
    • i) The deliberate use, storage, communication or dissemination of the content of non-public communications or of data from an IT system that the participant should reasonably have known was unlawfully obtained.
  • 2.2. In addition, we ask participants:
    • a) Not to disclose the vulnerability until we have been able to correct the vulnerability. See below for possible publication afterwards;
    • b) Delete all data obtained through the vulnerability immediately after the report;
    • c) Not to carry out any actions that could have a possible impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.

Actions under this coordinated vulnerability disclosure policy should be limited to conducting tests to identify potential vulnerabilities and sharing this information with us. If, after the vulnerability has been fixed, you wish to distribute a publication about this, we ask you to notify us at least one month prior to the publication. We also ask you to give us the opportunity to respond to this. Mentioning one or more of our organisations, directly or indirectly, in a publication is only permitted with our express written permission.

3. What we promise

  • a) We will respond to your report within a short period of time, if possible, within 5 working days with our assessment of the report and an expected date for a solution;
  • b) We will treat your report confidentially and will not share your personal data with third parties without your permission unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
  • c) We will keep you informed of the progress of resolving the problem;
  • d) In reporting on the reported problem, we will, if you wish, mention your name as the discoverer;
  • e) As a thank you for every report of a security problem unknown to us, we offer the opportunity to be mentioned in our "Hall Of Fame";
  • f) We may choose to ignore lower-quality notifications.

If you have any questions, please address them to infosec@niko.eu.

We use cookies

Some cookies are necessary for the proper functioning of our website and these cannot be refused, while others are used for statistical and marketing purposes. These help us both to improve your surfing experience and to know you better. If you’d like to choose which information you share with Niko then you can set your own preferences. These will be stored automatically and can be modified at any time via Manage Cookies. Want to find out more? Consult our cookie policy.

Cookie settings
This website makes use of the following types of cookies:
Strictly Necessary Cookies
Always active
These cookies help you to use our website through basic functions such as page navigation. The website cannot function properly without these cookies.
Performance Cookies

Cookies that measure how the website operates and how visitors use the website.

Targeting Cookies

Marketing cookies make it possible to personalise our online advertisements. The intention is to display ads that are relevant and engaging to the individual user, and which are therefore more valuable to publishers and third party advertisers.