Sorry, something went wrong. Please try visiting the website on a different device. Read more

Coordinated Vulnerability Disclosure (CVD)

Reporting vulnera­bilities

Have you discovered a vulnerability in our systems? We’d love to hear about it. Your help allows us to prevent abuse and improve the security of our services.

Which vulnerabilities can you report?

You can report issues related to our online services, such as:

  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Cross-Site Request Forgery (CSRF)
  • Remote Code Execution
  • Unauthorized access to data

Good to know

Have you received a fake email, SMS, or letter (phishing)? Know how to recognize and report them:
Report fake emails

How do I report a vulnerability?

Rewards for reporting via HackerOne

Anyone can report a vulnerability, even if you're not a customer. Use our form on HackerOne to do so:

Report a vulnerability via HackerOne

We offer appropriate rewards through HackerOne if your report helps us fix vulnerabilities. Our reward structure is listed on the HackerOne page. Zwitserleven decides whether you qualify for a reward and the amount. No reward will be given if:

  • Someone else has already reported the same (or a similar) vulnerability.
  • The vulnerability is already known to us.
  • There is abuse or violation of the rules.

Anonymous reporting

You can also report a vulnerability anonymously (in Dutch or English) by emailing us at: ResponsibleDisclosure@zwitserleven.nl.

Include sufficient information in your email to allows us to reproduce and verify the vulnerability, such as a specific URL, a step-by-step plan or a proof of concept. Please note that we will not be able to give you a reward if you report anonymously.

Program rules

Zwitserleven greatly appreciates your report, but we also want to ensure that our customers can continue using our online services securely and without any disruption. Please follow these rules, act in good faith, and avoid disproportionate actions.

Do not cause damage

Do not cause damage or disrupt our services while investigating a vulnerability

  • Never interrupt our services.
  • Use a maximum of 1 concurrent connection or thread during testing.
  • Do not make any changes to our systems.
  • Do not alter or delete data from our systems.

Do not disturb other users or compromise their data

Do not disturb other users or compromise their data.

  • Use only your own accounts and contact details, or those for which you have explicit, verifiable permission.
  • Avoid privacy violations and data destruction.
  • Be cautious when retrieving or copying data. Only access what is necessary to demonstrate the vulnerability.
  • Never share customer or company data with others.
  • Do not perform actions that other users might notice. For example, don't post tests on a public forum, in the comments on a public page, via a DM to another user, etc.
  • Secure your own systems that contain information about the vulnerability or test data.

Social, physical and brute force testing are not allowed

Social, physical and brute force testing are not allowed

  • All forms of Denial of Service (DoS), bruteforcing and enumeration are not allowed.
  • Social engineering (e.g., phishing, vishing, smishing) is not permitted.
  • Do not launch attacks on our physical security.

Do not abuse
  • Only use discovered vulnerabilities for your own research and report and for no other purpose.
  • Make minimal use of vulnerabilities. Do only what is necessary to determine the vulnerability.
  • Do not share vulnerabilities with any other party than Zwitserleven.
  • Communicate with our experts and give us time to resolve the issue.
  • Do not implement backdoors or introduce new vulnerabilities.

Did you accidentally violate any of these rules? For example, by causing publication, a disruption or other damage, please contact us immediately: ResponsibleDisclosure@zwitserleven.nl

How will Zwitserleven follow up your report?

Our security experts will investigate your report. We aim to provide an initial response within 3 working days.

Your privacy

We do not share your data with others nor do we use it for other purposes unless we are required to do so by law, for example, in the case of a claim to provide relevant data to the authorities.