Signaler un décès?: 078 05 05 78 Autres questions?: 02 800 87 87
Chercher
Trouvez un courtier
NL FR
Chercher

Contact

Customer Service 02 800 87 87
Signaler un décès? 078 05 05 78
NL FR

Did you find a security problem in our systems? Get a reward

DELA values the security and privacy of its users. We are aware of the security risks and aim to protect our systems as well as possible. Did you find a vulnerability? Please let us know so we can continue to ensure your safety and that of other users.

Please note that our responsible disclosure policy is not an invitation to actively hack our systems to discover weak spots.

View previous reports

Quick links

What can I report?

Vulnerabilities you can report include:

  • The lack of a secure connection
  • Cross-Site Scripting (XSS) vulnerabilities
  • SQL injection vulnerabilities

Did you discover a weak spot? Providing the IP address or URL will often be sufficient. Please tell us what you found and the actions you took when you discovered it. In case of a complex problem, we may contact you for more information.

Did you find a serious problem? If so, we will give you a reward. See ‘Reward conditions’ to find out how this works and what the exact rules are.

Please note that no reward is given when the weak spot is already known or if the associated risk is acceptable, such as:

  • HTTP 404 codes or other non-HTTP 200 codes
  • Unencrypted text in 404 pages
  • Lack of ‘secure’ / ‘HTTP Only’ flags on non-sensitive cookies
  • Using the HTTP OPTIONS Method
  • Lack of one or more HTTP Security Headers
  • Lack of SPF, DKIM and DMARC records
  • Lack of DNSSEC
  • Version banners on public services
  • Host Header Injection
  • Publicly accessible files and folders containing non-sensitive information
  • Clickjacking on pages without a login feature
  • Cross-site request forgery (CSRF) on forms that can be accessed anonymously
  • DDOS vulnerabilities
  • Rate limiting vulnerabilities with no significant impact
  • Issues with security certificates (SSL certificates)

What can I not report?

This responsible disclosure policy is not a means to make complaints, nor is it intended for reporting:

  • Viruses
  • Fake emails (phishing)
  • Unavailability of our websites
  • Fraud

I want to report something

Your report makes a difference to our security. First encrypt your report using the PGP key below and then send it.

PGP keyReport something

Rules

  • Please only share your findings with us and do not make them public, even if you feel it is taking a long time to get a response. Sometimes we need a little more time to solve the problem.
  • Do not use automated tooling to detect security problems.
  • Do not exploit the problem: for example, do not download more data than necessary to demonstrate the leak, and never change or delete data. Be extra cautious when personal data is involved.
  • Do not publicly disclose any data.
  • Only send us (minimal) data that is necessary to demonstrate the problem (for example, make a directory listing or screenshot).
  • Do not post a backdoor to demonstrate a security problem. This could cause additional damage and create unnecessary security risks.

If, in the course of your investigations, you're doing something that isn't permitted by law, we won't report this provided you are doing so in good faith, carefully, and according to the above rules.

What happens after I report something?

We will let you know within three working days how we will handle your report. We will only use your contact details to communicate with you about the report and will not share them with others unless required to do so by law. If, for example, the authorities request this information or we notice that you are not acting in good faith (i.e. if you are doing something that is punishable), we will report this to the police.

Not rewards are given for anonymous reports.

Reward conditions

Is it a serious security problem and one we are not yet aware of? Then we would like to thank you with one or more gift vouchers (up to €300) and eternal glory with a listing in our Hall of Fame. The amount of the gift vouchers depends on the risk and impact of the reported security problem.

We do our best to give similar rewards for similar problems. In our Hall of Fame, you can be mentioned under your own name or an alias. We can add a link to your LinkedIn or X-profile (no Facebook or Instagram).

Please note: No reward will be given when we conclude that there is no real security problem or if we consider the risk to be low or acceptable.

In the case of multiple reports about the same problem, the reward will go to the first person to report it.