We appreciate customers and security researchers reporting vulnerabilities in our software and infrastructure to us.
We encourage customers and researchers to test the security of our product and infrastructure, provided this is done responsibly. If you plan to execute such a test, please contact our Support department, and ask for the collaboration agreement that we have in place for this purpose. It provides guidelines on how to work together with us, which for instance prevents our security team from interfering with your tests when detected by our monitoring.
If you have found (possible) security issues, we really appreciate it if you report them to us. We strive to respond to your reports with an assessment, which will include remediation steps if available, within one working day. You can report your findings using one of the following methods:
We treat security incidents with high priority. Where possible and necessary, immediate risk mitigation steps will be taken or provided.
If a modification in the product is necessary to remedy a vulnerability, we start working on that immediately and incorporate it in the next release of our product.
Customers that have selected our Continuous Delivery channel will be upgraded automatically. The next scheduled On-Premises release will also contain the fix. Since On-Premises customers need to download, install and test the upgrade before taking it in production, we request that, if you want to publish your findings, you wait at least 90 days after the initial report.
In our efforts to be a responsible supplier, we support the guidelines published by the Dutch National Cyber Security Center.