Skip to content

Coordinated Vulnerability Disclosure Policy

This policy applies to anyone who wishes to report a technical vulnerability related to any products or services offered by Athumi.

Purpose

A vulnerability is a technical or human weakness or flaw that could be exploited by one or more threats and may result in unauthorized access, modification, or deletion of data or information.

Athumi attaches great importance to the security of the information and systems we manage and share with our customers. Wherever possible, Athumi implements appropriate technical and organizational measures in accordance with its Information security policy, which aligns with the Information Classification Framework of the Flemish Government and the associated minimum security measures.

Despite our continuous efforts to secure our systems, vulnerabilities may still occur. If you discover such a vulnerability, we encourage you to report it so that we can take appropriate action as quickly as possible. This coordinated vulnerability disclosure policy (also known as a Responsible Disclosure Policy) allows you to responsibly inform us when you discover a potential issue.

When you discover a vulnerability

Please report it as soon as possible by emailing security@athumi.eu and include the following information:

  • The URL or IP address where you found the vulnerability.
  • A description of what you discovered, preferably with an explanation of how you identified it, so that we can reproduce the issue.
  • Your contact details (at least your name, email address, and phone number), so we can reach you for follow-up questions if necessary.

To help us protect our services and systems, please:

  • Act ethically and ensure that your testing does not negatively affect the availability or performance of our systems. The use of intrusive or disruptive techniques will not be tolerated.
  • Do not exploit the vulnerability (for example, by downloading additional data, performing DDoS attacks, sending spam, or using social engineering). If you accidentally can retrieve sensitive information, delete it in consultation with Athumi.
  • Do not use brute-force, DDoS, spam, social engineering, or other active attack techniques to detect vulnerabilities.
  • Keep the vulnerability confidential and do not share details with others until it has been resolved.
  • Note that when vulnerabilities concern third-party components, and these are already known, Athumi tracks and prioritizes them internally based on the CVSS score and the associated risk to Athumi.
  • Acknowledge and agree to comply with the contents of this policy when submitting your report.

What Athumi guarantees:

If you report a vulnerability in accordance with this policy, Athumi guarantees that:

  • Your report and any personal information you share will be treated confidentially.
  • We will respond to your report, involve you in the assessment and resolution process where appropriate, and keep you informed of progress.
  • We will not take any legal action against you for responsible disclosure conducted in line with this policy.

Reward and acknowledgement

Athumi does not provide financial compensation for reporting vulnerabilities. However, as a token of appreciation, we will list your name (if you wish) in our "Security hall of fame".

Security Hall of Fame

This section acknowledges individuals who have helped Athumi by reporting vulnerabilities responsibly.

-

This is version 1.0 of this document.

Stay in touch with Athumi

Subscribe to our newsletter