PTA Security

Responsible Disclosure (english)

The security of this website is very important to PTA security. In spite of our care for security it is still possible that there are vulnerabilities in our website. If you find a weak spot in the security of our website please tell us a.s.a.p so we can fix it. We love to work with you to improve the security of our website.

We ask you to:

  • Only report real vulnerabilities with proof that you personally can exploit them. No reports of old software versions, missing best practices or output from automated scanning tools without proof of exploitability.
  • E-mail your findings to peter@pta-security.nl. When possible please encrypt the messages with the PGP key below to prevent unauthorized access to the information. You can also use our profile on hackerone.com to report vulnerabilities
    (PGP Key ID: 19D35B85 | PGP Fingerprint: 3FD8 F230 B04E C15E BEEA F92B 835E 3D39 19D3 5B85)
  • Give us enough information to be able to reproduce the problem so we can fix it a.s.a.p. Usually the URL that contains the vulnerability and a description of the vulnerability is enough but when the issue is complicated more info may be required
  • Give us your contact information so we can contact you when we have questions. An e-mail address or phone number is greatly appreciated.
  • Inform us of the vulnerability a.s.a.p. after you discover it.
  • Not share any information regarding the vulnerability until it is fixed.
  • Be responsible by not taking any actions other than the minimum required to verify the vulnerability.

The following is explicitly NOT allowed:

  • Uploading malware, virusses, trojans etc.
  • Changing or removing information.
  • Changing the system configuration.
  • Repeatedly accessing the system or sharing access with others .
  • Using denial-of-service attacks

What you can expect from us:

  • If you play by the rules set above when finding security vulnerabilities in this website, we will not pursue any legal action against you regarding the discovery of the vulnerabilities you reported to us.
  • We treat every report with the highest confidentiality and will never share your personal information without your express consent, unless we are forced to do so by a legally binding court order.
  • If you want to, we will credit you for reporting a confirmed vulnerability by putting your name in a thank you section on this website.
  • We will send you a confirmation of the receipt of your report within one business day
  • We will respond to a report within 3 business days with an assessment of the vulnerability and the expected time needed to fix the issue
  • We will keep you informed of the progress we maken in fixing the issue
  • We aim to fix the issue reported by you a.s.a.p. The maximum time we may take to fix any issue is 60 days after getting the report.
    We prefer to work with you in publishing the vulnerability after is has been fixed

What we do with vulnerabilities we find:

  • PTA security only test for vulnerabilities in systems owned by third parties after express consent from the owner.
  • We reserve the right to investigate the security of alle systems and software owned or managed by PTA security itself
  • We will report any vulnerabilities only to owner or the party responsible for hosting and or managing the vulnerable systems or software.
  • When we find vulnerabilities in software managed by ourselves we will inform the supplier of the software

Based on the “Leidraad Responsible Disclosure” by Floor Terra

Reporting data leaks

Your privacy and the confidentiality of your business data is very important to us

In spite of the care we take protecting your data it is possible for information to leak. This is how we would handle such an event:

What we consider a data leak

  • A situation where we know or can reasonably suspect that unauthorized access to personal or business information entrusted to us has occurred

How we respond to a data leak

  • After finding out about the data leak, our highest priority is fixing the leak and preventing damage to those concerned.
  • We will investigate the leak to determine how and what data was leaked, what the cause of the leak was and who had access to the leaked data.
  • We will take actions to prevent this from happening again.
  • When we find illegal acts have been a factor in the data leak we will report this to the police.

Who do we inform about a data leak

  • We inform the Dutch Privacy Authority (College Bescherming Persoonsgegevens) whenever Personally Identifiable Information is involved.
  • We inform all persons and organizations affected by the data leakt*

*If the leaked data is protected by strong encryption and the is no reason to suspect the information can be accessed by unauthorized parties we will not inform the affected persons and organizations. In this case the security measures (encryption) are deemed effective in preventing access to the information.