Group policy on responsible disclosure

April 2021

1 Responsible disclosure – Etex statement

Within Etex Group, we value the security of our digital environment, including our websites and online services. Despite the efforts we spend to appropriately secure our environment, we can never fully rule out that a vulnerability may still be present. This Responsible Disclosure policy is intended to be published on the different Etex websites and allows (external) security researchers to report identified vulnerabilities within a predefined framework, including the expectations and promises of Etex Group related to acts under this policy.

If you have found a weak spot in one of our systems, please let us know so that we can take remediation measures as quickly as possible. We would like to work together with you to safeguard our environment and even better protect our internal and external stakeholders.

You can report vulnerabilities by signing up as a security researcher and joining our Etex responsible disclosure program via https://www.intigriti.com. This Etex responsible disclosure program went live on April 26th 2021. In order to get access to our private program, you can apply by sending us an email containing your account name on the Intigriti platform.

2 Responsible disclosure – Our expectations

In order to comply with our Group Policy on Responsible Disclosure, we ask you:

  • To report the vulnerability immediately after discovery via our Etex responsible disclosure program - https://www.intigriti.com. Intigriti is a crowdsourced security platform where security researchers and companies meet. The detailed Terms & Conditions of the Etex responsible disclosure program are also listed on this platform.
  • To take the necessary confidentiality measures during and after your testing to prevent the information being disclosed to malicious parties.
  • Not to exploit the vulnerability by, for example, downloading more data than is necessary to demonstrate the weak spot, or deleting / modifying any data being exposed. At no point in time it is allowed to download, delete, or modify personal data.
  • Not to deploy malware (e.g. virus, worm, trojan, botnet, etc.). Do not make changes to a system or copy, modify, or delete data in a system.
  • Not to disclose or share the problem with others until it is remediated and to erase all data obtained through the leak immediately after reporting the vulnerability to Etex Group.
  • Not to use any attack techniques related to physical security, social engineering including spamming or phishing, (distributed) denial of service and brute force attacks. Do not perform any actions that could have an impact on the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the stored data. Rate limits should be limited to max. 1 request per second.
  • To provide sufficient information to allow Etex to reproduce your findings and resolve them as quickly as possible. Usually, the IP address or the URL of the involved system and a description of the vulnerability should be sufficient, possible supported by additional screen prints or technical details. More complex vulnerabilities may require more information.
  • To confirm to Etex that you have acted and will continue to act in accordance with this Responsible Disclosure Policy by accepting the Terms & Conditions of the program.

Any act under this Responsible Disclosure Policy should be strictly limited to conducting tests to identify potential vulnerabilities and sharing this information with Etex Group.

If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying Etex Group, one of its subsidiaries or any of its employees in a publication is only possible after we have given our explicit approval.

3 Responsible disclosure – Our promise

  • We will respond to you in a short period of time, if possible within 10 working days, to confirm appropriate receipt of your report. We will assess the reported vulnerability and define an expected remediation date if applicable. We will keep you informed of the progress of remediation.
  • If you have fully complied with all above conditions and have not committed any other breaches, we will not take legal action against you regarding the performed acts under this policy.
  • We will treat your report confidentially and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation.
  • To thank you for your report, we offer a reward as described in more detail in the terms and conditions of our responsible disclosure program(s) on the Intigriti platform (e.g. credits, “hall of fame”, bounty payment). In no circumstances, Etex Group will proceed with payment in digital currencies such as Bitcoin.

4 Contact details

If you prefer to report a vulnerability without using the Intigriti platform, you can send an e-mail directly to our information security team via InfoSec@etexgroup.com. However, you should consider that we will be unable to discuss the next steps with you or reward you for your efforts (e.g. via a recommendation letter, credits or bounty payment). Although we are actively monitoring this mailbox, we are not committing to any response times for received vulnerability reports through this channel.

Please address any questions you may have in relation to this policy to the Information Security Team: InfoSec@etexgroup.com.

This text is a derivative work of "Responsible Disclosure" by Floor Terra, used under a Creative Commons Attribution licence 3.0.