Responsible disclosure policy
At Camco, the security of our systems is very important to us. Despite our care for the security of our systems, it is always possible that there is a vulnerability. If you have found a vulnerability or security flaw in one of our systems, physical or digital, please let us know so that we can take security measures as soon as possible. We would like to work with you to better protect our systems, our customers and our ecosystem.
This policy applies to all interested parties and stakeholders of Camco, for any of the Camco services and platforms.
We request the cooperation of the audiences in scope, including, but not limited to:
- Website Visitors
- Visitors on Camco premises
- Employees and staff
- Contractors and partners;
What we ask you to do
In case you discovered a vulnerability, we ask you to do the following:
- Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more;
- Encrypt your findings with our PGP key (https://www.camco.be/pubkey.zip) to prevent the information from falling into the wrong hands;
- Email your findings to firstname.lastname@example.org.
What we ask you NOT to do
When a vulnerability has been discovered, please refrain from:
- Abusing the problem by, for example, downloading more data than is necessary to demonstrate the leak or viewing, deleting or modifying data from third parties;
- Sharing the problem with others before it is resolved. Please also erase all confidential data obtained through the leak immediately after closing the leak;
- Attacking physical security, social engineering, distributed denial of service, spam or thirdparty applications, and damaging our platforms in any way, or impacting the performance of these systems.
Please be aware
There is a legal protocol to be followed (see legal reference below). Any illegal access to our systems can and will be prosecuted to the maximum extent if this regulatory protocol is disregarded.
What can be expected from us
- We will respond to your report as soon as possible, maximum within 5 working days, with our initial assessment of the report and an expected date for resolution;
- If you have complied with the above conditions and the legal conditions by cyberlaw, we will not take any legal action against you regarding the report;
- We will treat your report confidentially and will not share your personal data with third parties without your permission unless this is necessary to comply with a legal obligation;
- If desired, we will keep you informed of the progress of solving the problem;
- In notifying you of the reported problem, we will, if you wish, mention your name as the discoverer.
Publication of the vulnerability or resolution
Only Camco decides on any public or official communication and publication on discovered vulnerabilities. No publication is allowed without agreement and validation by Camco.
This responsible disclosure policy is based on the open source project based on the Creative Commons v3 license: https://responsibledisclosure.nl/
5. Legal reference
Please be aware that the reporting of any vulnerability is bound to legislation.
As Camco HQ is located in Belgium, the Belgian law on vulnerability disclosure applies.
In short (quote from the website of CCB):
- You must limit yourself strictly to the facts necessary to report a vulnerability. Thus, you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability;
- You must act without fraudulent intent or design to harm;
- As soon as possible after the discovery of the potential vulnerability (and at the latest at the time of reporting to the national CSIRT), you must inform the organization responsible for the system, process or control of the vulnerability;
- You must report the discovered vulnerability as soon as possible to the CCB (in the absence of a CVDP), in writing and according to the procedures described in point D of the CCB policy;
- You must not publicly disclose information about the discovered vulnerability without the agreement of the national CSIRT (CCB).
More information: https://ccb.belgium.be/en/vulnerability-reporting-ccb
6. General company info
Phone: +32 16 38 92 72
Fax: +32 16 38 92 74