Cardan is committed to ensuring the availability, integrity and confidentiality of our systems and is committed to fully transparent security procedures. These are described below.
Our privacy statement provides more information on how we handle your data.
Cardan Technobility is committed to ensuring the availability, integrity and confidentiality of our digital systems. Despite our care for information security, a technical vulnerability may occur. If you find a vulnerability in a Cardan Technobility system, you can report it to us. Making a report is called Coordinated Vulnerability Disclosure (CVD). On this page we would like to explain to you how this works.
You can report vulnerabilities when they pose a risk to the security of our systems. Examples include vulnerabilities that allow an authentication mechanism to be bypassed or unintended access to confidential data. Not every anomaly in a system is a vulnerability. Therefore, we would ask you not to make a CVD report to us for the anomalies listed below:
An anomaly that does not impact the availability, integrity or confidentiality of confidential information;
The availability of version information (for example, an info.php file). A possible exception is when the version information shows that the system uses software with known vulnerabilities;
The absence of HTTP security headers, unless this absence demonstrably leads to a security problem.
If you are unsure whether the vulnerability you have found falls under one of the above exceptions, you can of course simply report it to us.
Email your findings to technobility@cybersquare.nl;
Send the CVD report as soon as possible after discovering the vulnerability;
Make sure the CVD notification is Dutch or English;
Make sure your CVD notification contains the following information:
A detailed description of the vulnerability, possibly including CVE number and/or EDB ID;
The IP address or URL of the vulnerable system;
How the problem can be reproduced:
The steps taken to identify the vulnerability;
Objects involved (such as input fields);
Screenshots are appreciated;
Preferably leave an email address so we can contact you with questions.
You can encrypt your messages to Cardan Technobility by using the PGP key on this page.
Post malware or other software that may harm the availability, integrity and/or confidentiality of our systems;
Exploit the vulnerability by performing actions beyond what is necessary to demonstrate the security problem, for example, downloading, copying, modifying or deleting data and accessing third-party data;
Repeatedly gaining access to our systems or sharing access and/or information with others;
Retaining confidential data obtained in demonstrating the vulnerability, delete such data immediately upon receipt of CVD notification;
The following attack techniques are not permitted:
Attack techniques that can negatively disrupt and affect normal system operation, including “(Distributed) Denial of Service” attacks, spam and buffer overflow attempts;
Bypassing authentication mechanisms through “Bruteforce”, “Dictionary” and “Social engineering” attacks;
Attacks on third-party applications.
If you make the CVD notification according to the above procedure, we will not attach any legal consequences to your actions during vulnerability identification;
We will treat your CVD notification confidentially and will not share personal data with third parties without your consent, unless necessary to comply with legal obligations;
We will send you confirmation of receipt within one business day;
In any communications about the reported problem, we will, if requested, include your name as the discoverer. We will mention your name only with your permission. Reporting under a pseudonym is possible.
Cardan Technobility may update this security policy by posting a new version on this website, for the most recent version of our policy visit our website.