CVD policy Freshheads

Have you found a technical vulnerability on our website or a digital service we developed? Please report it to us immediately so we can resolve the issue as quickly as possible. Read below how to make a report and how we handle it afterwards.

When can I make a report?

If a vulnerability poses a risk to the security of our website or the digital services we have developed, you can report it to us. Examples include the ability to bypass a login form or unintended ways to access a database containing personal data. There are also anomalies that are not significant and therefore do not need to be reported to us, such as:

If a vulnerability poses a risk to the security of our website or the digital services we have developed, you can report it to us. Examples include the ability to bypass a login form or unintended ways to access a database containing personal data. There are also anomalies that are not significant and therefore do not need to be reported to us, such as:

A deviation that has no impact on the availability, integrity, or confidentiality of information.
The possibility of cross-site scripting on a static website or on a website where no sensitive (user) information is processed.
The availability of version information via, for instance, an info.php file. A possible exception to this is when the version information shows that the system uses software with known vulnerabilities.
The absence of HTTP security headers as used by Cross-Origin Resource Sharing (CORS), among others, unless this absence demonstrably leads to a security issue.

When in doubt after reading the exceptions above, you are always welcome to report the issue to us. We will first check if it can be considered a vulnerability and proceed accordingly. Better safe than sorry.

When in doubt after reading the exceptions above, you are always welcome to report the issue to us. We will first check if it can be considered a vulnerability and proceed accordingly. Better safe than sorry.

How can I make a report?

Follow these steps to create a report:

Send an email to security@freshheads.com with your findings. If necessary, use our PGP key to further encrypt the report.
Try to describe the report as clearly as possible so that our security team can start working on it as soon as possible. Usually, a specific IP address and/or URL along with a description is sufficient, but the more information, the better. If needed, we would be happy to get in touch with you for further communication.
Leave at least an email address or phone number so that we can contact you if there are any questions. We prefer to communicate via email.

Make sure that:

You report the vulnerability to us as soon as possible after discovering it.
You do not share information about the security issue with others until we indicate it is permissible or until the issue is resolved.
You handle your knowledge of the security issue responsibly, for example by not going further than necessary to demonstrate the problem.

What shouldn't you do?

We would like to ask you not to do the following things when trying to demonstrate or have discovered a vulnerability:

Placing malware
Copying, modifying, or deleting data in a system
Making changes to the system
Repeatedly accessing the system or sharing access with others
Using 'brute force' to gain access to a system.
Using denial-of-service or 'social engineering'.

Disclaimer

We handle your report confidentially and never share personal information with third parties without your consent, unless required by law or court order. If the report is executed according to the aforementioned procedure, we have no reason to associate legal consequences with your report.

We handle your report confidentially and never share personal information with third parties without your consent, unless required by law or court order. If the report is executed according to the aforementioned procedure, we have no reason to associate legal consequences with your report.

What can you expect from us after reporting?

You will receive a confirmation of receipt within one business day. Following that, within five business days, you'll get a detailed response to your report, including potential next steps on our part. Afterward, we'll decide together how to keep you updated on the resolution. We take security very seriously and aim to resolve vulnerabilities as quickly as possible, and at the latest within one month.

You will receive a confirmation of receipt within one business day. Following that, within five business days, you'll get a detailed response to your report, including potential next steps on our part. Afterward, we'll decide together how to keep you updated on the resolution. We take security very seriously and aim to resolve vulnerabilities as quickly as possible, and at the latest within one month.

Do I receive anything for reporting a vulnerability?

This depends on the type of vulnerability, the system in which it was discovered, and the possible negative impact. We don't have a fixed policy for this yet, but we will reach a mutual agreement through good consultation. Consider rewards in the form of a t-shirt, gift voucher, cash reward, or public acknowledgment.

This depends on the type of vulnerability, the system in which it was discovered, and the possible negative impact. We don't have a fixed policy for this yet, but we will reach a mutual agreement through good consultation. Consider rewards in the form of a t-shirt, gift voucher, cash reward, or public acknowledgment.