At Deltasec, we take the security of our own systems extremely seriously. Our mission is to make the digital world safer, and that starts with ourselves. We value the role that independent security researchers play in this process and invite you to help us keep our systems secure.
Should you discover a vulnerability in one of our systems, we would like to hear from you so that we can resolve the issue as quickly as possible. We ask that you help us protect our customers and systems by adhering to the guidelines below
This policy applies to all systems directly owned and managed by Deltasec.
This includes:
The website and underlying infrastructure of deltasec.nl and all subdomains (*.deltasec.nl).
-Systems belonging to our customers.
-Third-party services we use (e.g., hosting providers, SaaS solutions). If you find a vulnerability in a third-party service, we request that you report it directly to that party.
-Physical security of our office location(s).
-Social engineering or phishing attacks directed at Deltasec employees.
We ask you to:
-Report the vulnerability to us as soon as possible after discovery so we can take timely action.
-Not view, download, or modify more data than is strictly necessary to demonstrate the vulnerability.
-Not perform any actions that may affect the availability and performance of our systems (e.g., Denial-of-Service attacks).
-Not share the discovered vulnerability or obtained data with others until the issue has been resolved.
-Handle your findings responsibly and not misuse the vulnerability.
-Provide sufficient information to reproduce the vulnerability so that we can resolve it as quickly as possible.
Send your findings via email to security@deltasec.nl. Please include the following information in your report:
-A clear, concise description of the vulnerability.
-The IP addresses or URLs of the systems where the vulnerability was found.
-A step-by-step guide (Proof of Concept) to reproduce the vulnerability.
-An assessment of the potential impact of the vulnerability.
-Your contact information (name and/or pseudonym) so we can contact you.
When you submit a report following the guidelines above, we promise the following:
-We will respond to your report within 3 business days with an acknowledgment of receipt and an expected timeline for analysis.
-We will keep you informed of the progress of resolving the issue.
-We will not pursue legal action against you regarding your report. Your actions will be considered authorized research.
-If you are the first to report a significant vulnerability and have followed the rules, we will offer recognition on our ‘Hall of Fame’ (if you wish).
-Any rewards (bug bounties) will be assessed on a case-by-case basis, depending on the impact, severity, and quality of the report.
The following findings are generally outside the scope of this policy (unless they pose a demonstrable and significant security risk):
-Missing ‘best practice’ configurations without a demonstrable vulnerability (e.g., missing security headers).
-Information about software versions.
-Results from automated scanners without manual validation.
-Self-XSS and other vulnerabilities requiring unrealistic user interaction.
-Issues related to SPF, DKIM, or DMARC records.
We thank you in advance for your contribution to the security of Deltasec.
