Responsible Disclosure Policy

Embloom attaches great importance to the safety of its ICT systems and aims for a high level of security. Embloom has taken several measures to this effect, including laying down relevant protocols and procedures and having these certified within the framework of the information security standards ISO 27001 and NEN 7510. In addition, we have a penetration test and/or security audit carried out at least once a year. Despite these measures, there may be a weak spot in one of Embloom’s ICT systems.

Reporting vulnerabilities
If you have found a weak spot in one of Embloom’s ICT systems, we would like to hear from you so that we can take the necessary measures as soon as possible. Embloom would like to work together with you, so that we are in an even better position to safeguard the safety of our ICT systems. In view of this, Embloom has the following policy regarding the handling of reports of vulnerabilities that you identify in Embloom’s ICT systems.

We ask you to do the following:

  • Please e-mail your report to security@embloom.com or use the form at the bottom of this page.
  • You should provide enough information for the problem to be reproduced, so that we can resolve it as quickly as possible. Generally speaking, all we need is the URL of the affected system and a description of the vulnerability, but more information may be needed if the vulnerability is more complex.
  • Leave your contact details, so that we can contact you and work together to achieve a safe result. Leave at least an e-mail address or phone number.
  • Make the report as soon as possible after discovering the vulnerability.
  • Do not share the information about the security problem with others until it is resolved.
  • Please note that you must be responsible with the knowledge you have about the security problem – you must not perform actions that go beyond what is necessary to demonstrate the security problem.

In any case, avoid doing the following:

  • Installing malware.
  • Copying, changing, or deleting data in a system (an alternative is to create a directory listing of a system).
  • Making changes to the system.
  • Repeatedly accessing the system or sharing access with others.
  • Using a ‘brute-force’ attack to access systems.
  • Using denial-of-service or social engineering.

What you can expect from us:

  • If you have complied with the above conditions when reporting a vulnerability that you have observed in an Embloom ICT system, Embloom will not attach any legal consequences to this report.
  • Embloom treats a report confidentially and does not share personal data with third parties without the consent of the person making the report, unless this is required by law or a court decision.
  • In mutual consultation, Embloom can, if you wish, mention your name as the person who reported the vulnerability.
  • Embloom will send you a confirmation of receipt the next working day at the latest.
  • Embloom will respond to a report within three working days, providing an assessment of the report and the date on which it expects to have resolved the problem.
  • Embloom will update the person who made the report on the progress made in terms of resolving the problem.
  • Embloom will resolve the identified security problem in a system as soon as possible and at the latest within 60 days. It may be decided by mutual agreement whether and how the problem will be published after it has been resolved.

Report vulnerability:

Aanmelden Proefaccount Embloom