At SBA, we attach great importance to the security and reliability of our IT solutions and web applications. Despite our efforts to implement security measures, vulnerabilities may still occur in our systems. We would like to ask experts, customers, and other stakeholders to report discovered vulnerabilities to us in a responsible manner. This policy describes how we handle reports of vulnerabilities.

Our promise

Upon receipt of a report of a potential vulnerability, we commit to the following actions:

1. Speed: We will confirm the notification within 3 working days.
2. Evaluation: We will investigate and validate the reported vulnerability.
3. Transparency: We keep the reporter informed of progress and provide an indication of the expected resolution time.
4. Resolution: Once the vulnerability is confirmed, we will work on an appropriate solution to mitigate or resolve it.

How to report

If you discover a vulnerability in one of our IT services or web applications, we kindly request that you report it in the following way:

• Email: Send your report to servicedesk@sba.nl with the subject “Coordinated Vulnerability Disclosure”.
• Content of the notification: Provide a detailed description of the vulnerability, including steps to reproduce it, the impact, and any supporting evidence such as screenshots or log files.

What we expect from you

To ensure that vulnerability reporting is done in a safe and responsible manner, we ask you to:

• No Disclosure: Not to disclose the vulnerability until we have implemented a fix and you have given permission to share the information.
• Restrictions: Not to access third-party data, not to make changes to the system, and not to disrupt our services.
• Legal compliance: Not to exploit vulnerabilities in violation of the law, for example by using social engineering or physical attacks.

Disclaimer

This Coordinated Vulnerability Disclosure is not intended as an invitation to conduct penetration tests or other security research without prior consent. Following our Coordinated Vulnerability Disclosure policy means you are acting with good faith, and we will not take legal action against researchers who violate this policy. We appreciate your help in protecting safety and privacy of our customers. Your efforts help us improve our products and to continuously improve services. If you have any questions about this policy, please then please contact us at servicedesk@sba.nl