Responsible Disclosure Statement

At triptic and Iris Intranet, we place great importance on the security of our systems. Despite all precautions, it remains possible that a weak spot could be found. If you discover such a vulnerability, we would appreciate hearing from you, so that we can take appropriate measures promptly. By making a report, you as the reporter agree to the following Responsible Disclosure agreements, and we will handle your report in accordance with the agreements below.

We ask the following from you:

  • Email your findings to security@triptic.nl. If it contains (privacy) sensitive information, please request an encrypted file location from us. You will then receive a link through which your information can be securely sent.
  • Provide us with enough information to reproduce the issue, so we can resolve it as quickly as possible. Usually, the IP address or the URL of the system and a description of the issue is sufficient, but in more complex cases, more may be needed.
  • We welcome tips that help us resolve the issue. Please limit yourself to verifiable facts related to the vulnerability you've found, and avoid your advice being essentially an advertisement for specific (security) products.
  • Leave your contact details (at least an email address or telephone number) so we can get in touch with you.
  • Submit the report as soon as possible after discovering the vulnerability.

The following actions are not allowed:

  • Posting malware, neither on our systems nor on others.
  • The so-called "bruteforcing" of access to our systems, unless to demonstrate that security in this area is lacking.
  • Using social engineering techniques, unless to demonstrate that our employees seriously fail in their duty to handle your data carefully. Your findings should solely aim at exposing deficiencies in the procedures and practices within triptic and not at harming individual persons employed at triptic.
  • Publicly disclosing or providing information about the issue to third parties before it has been resolved.
  • Performing actions that go beyond what is strictly necessary to demonstrate and report the vulnerability. Especially concerning the processing of confidential data that you had access to due to the vulnerability. Copying, modifying, and/or deleting data in the system is never allowed.
  • Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
  • Exploiting the vulnerability in any other way.

What you can expect:

  • If you comply with the above conditions, we will not file a criminal complaint against you, nor will we initiate a civil lawsuit against you.
  • If it appears that you have violated one of the above conditions, we may still decide to take legal action.
  • We treat your report confidentially and do not share personal data of a reporter without their consent with third parties unless we are legally or by a court order obliged to do so.
  • In mutual consultation, we can, if you wish, mention your name as the discoverer of the reported vulnerability. In all other cases, you remain anonymous.
  • We will send you an (automatic) acknowledgment of receipt within 1 (one) working day.
  • We will respond within 3 (three) working days to a report with an (initial) assessment of the report and possibly an expected date for a solution.
  • We will resolve the vulnerability you reported as quickly as possible. We strive to keep you well informed about the progress.
  • In mutual consultation, it will be determined if and in what manner communication about the problem will occur, after it has been resolved.