Responsible disclosure policy

English version (Dutch version here)

1. Introduction

At Agisko BV, we take the security of our systems and services seriously. Despite all measures taken, vulnerabilities may exist in our digital or physical systems.

Have you discovered a vulnerability or security flaw in one of our systems? We ask you to report it responsibly and discreetly. We are happy to work with you to better protect our systems, our customers, and our ecosystem.

2. Scope

This policy applies to:

  • all systems, services, applications, and platforms of Agisko BV
  • all digital and physical environments managed by or on behalf of Agisko BV

The policy applies to all stakeholders and interested parties.

3. Target audience

We request the cooperation of everyone within the scope, including but not limited to:

  • visitors to Agisko premises
  • employees and staff
  • customers
  • contractors and partners
  • suppliers and prospects
  • external security researchers
4. Responsible reporting protocol

4.1. What we ask of you

When you discover a vulnerability, we ask you to:

  • provide sufficient information to reproduce the issue
  • (for example IP address, URL, involved service, and a clear description);
  • limit your investigation to what is necessary and proportionate to demonstrate the vulnerability;
  • report your findings confidentially via:

Email: infosec@agisko.be

If possible, we ask that sensitive information be sent encrypted.

4.2. What we explicitly do not ask for (and do not allow)

When discovering a vulnerability, we explicitly ask you to:

  • not abuse the vulnerability (such as downloading more data than necessary or viewing, modifying, or deleting third-party data);
  • not cause disruption to systems, services, or performance;
  • not carry out attacks, including but not limited to:
    • social engineering
    • physical security attacks
    • denial-of-service (DoS/DDoS)
    • spam
    • attacks on third-party systems
  • not share information about the vulnerability with third parties before it is resolved;
  • immediately delete any confidential data obtained once the vulnerability is fixed.

4.3. Legal framework - Important

Reporting vulnerabilities is subject to legislation.

Since Agisko BV is based in Belgium, Belgian legislation regarding vulnerability reporting applies.

Any form of unauthorized access to our systems can be prosecuted criminally if this policy or the legal protocol is not followed.

5. What you can expect from Agisko BV

If you act according to this policy and in good faith, you can expect from us that:

  • we confirm your report as soon as possible, no later than within 5 working days;
  • we conduct an initial assessment and inform you about the expected follow-up;
  • we do not take legal action against you regarding the report, provided that:
    • you comply with this policy;
    • you act without fraudulent intent;
    • you respect applicable laws;
  • we treat your report confidentially and do not share your personal data without your consent, unless legally required;
  • we keep you informed of the progress if desired;
  • we mention your name as the discoverer in any solution or publication if you wish.
6. Publication and communication

All decisions regarding:

  • external communication
  • public disclosure
  • technical details
  • advisories or publications

are exclusively made by Agisko BV.

No information about the vulnerability or the solution may be made public without prior written permission from Agisko BV.

7. Legal reference - Belgian CCB guidelines

Reporting vulnerabilities must be done in accordance with the guidelines of the Centre for Cybersecurity Belgium (CCB).

In short:

  • you strictly limit yourself to what is necessary to demonstrate the existence of the vulnerability;
  • you act without fraudulent or harmful intent;
  • you notify the responsible organization as soon as possible;
  • if required, you report the vulnerability according to the CCB procedures;
  • you do not disclose information without permission from the national CSIRT (CCB).

More information: https://ccb.belgium.be/en/vulnerability-reporting-ccb

8. Company information

Agisko BV
Junostraat 21/bus 2
2600 Antwerp
Belgium

Security Contact:
Email: infosec@agisko.be