Responsible Disclosure

We take the security of our systems and users very seriously and attach great importance to improving it. Despite all precautions, it remains possible that a weak spot in the systems may be found. To stay one step ahead of malicious parties, we would like everyone who finds a vulnerability in our systems to report it to us.

By submitting a report, you agree to the following terms and conditions regarding Responsible Disclosure, and we will handle your report in accordance with these terms and conditions.

We ask the following of you:

  • Submit the report as soon as possible after discovering a potential vulnerability.
  • To report an issue, please use the designatedform "Responsible Disclosure Report".
  • Please provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible.
  • We welcome any tips that will help us resolve the issue. Please limit yourself to verifiable facts relating to the vulnerability you have identified and avoid advice that amounts to advertising for specific (security) products.
  • You avoid violating privacy, degrading user experience, disrupting production systems, and destroying data during security testing;
  • Do not share the problem with others until it has been resolved.

What is not permitted:

For the safety of our users, employees, the internet in general, and you as a security researcher, the following actions are not permitted:

  • Testing applications other than this domain, namely "sloterburg.nl";
  • Performing actions that go beyond what is strictly necessary to demonstrate and report the security issue.
  • Social engineering and/or physical testing (e.g., phishing, tailgating);
  • Using techniques that reduce the availability and/or usability of the system or services (e.g., DoS attacks).
  • Installing malware.
  • Copy, modify, or delete data in the system.
  • Disclosing or providing information about the security issue to third parties before it has been resolved.

What you can expect from us:

  • We will work with you to understand the vulnerability and resolve it quickly (including providing initial confirmation of your report within 72 hours of submission).
  • We will keep you informed of our efforts to resolve the vulnerability;
  • If you meet all of the above conditions, we will not file a criminal complaint against you or bring a civil action against you.

If you have any questions or comments about this Responsible Disclosure, pleasecontactEmiel Duinisveld (Chief Information Security Officer at SIM).