At Fortrum Conclusion, the privacy and security of our clients are of the utmost importance. We ensure that all personal data processed through our systems is in safe hands. To this end, we conduct regular tests and actively scan our applications and infrastructure for potential vulnerabilities.
However, it is possible that a weakness may still be found in one of our systems. If you have discovered one, we kindly ask you to share it with us so we can take the appropriate actions as quickly as possible.
How to report vulnerabilities
You can report vulnerabilities by sending an email to cvd@yellowtail.nl.
We kindly ask you to observe the following:
- Describe the vulnerability, how to reproduce it, the URL/IP address, and the potential impact as clearly as possible. Providing a suggested solution is encouraged.
- Do not exploit the vulnerability, for example by retrieving more data than necessary to demonstrate the issue.
- Do not share the vulnerability with others until the issue has been resolved.
- Once you have been informed that the issue has been resolved, please delete any data obtained during your investigation from any systems where it may be stored.
- Do not make any changes to systems (e.g. installing backdoors).
- Vulnerabilities resulting from social engineering, physical attacks, DDoS, brute forcing, spam, malware, or third-party applications are considered out of scope of this policy.
- You may choose to report the issue anonymously or under a pseudonym if you wish.
What happens after you report a vulnerability?
We will assess the report to determine the severity and scope of the issue. Based on this assessment, our Security Officer, Service Manager, and the relevant development and operations teams will define and implement mitigating measures appropriate to the risk.
What we promise in return
- Your report will be reviewed within 5 working days.
- We guarantee that we will not take legal action against you as a result of your report, provided you have complied with the conditions described under “How to report vulnerabilities.”
- Your report will be treated confidentially. We will not share your personal data with third parties unless required by authorized authorities.
- You will be kept informed of the progress in resolving the reported issue.
- If you wish, we can publicly acknowledge you as the discoverer of the vulnerability, should we publish anything about it.
- If your report leads to a successful fix of a system vulnerability, we are happy to reward you with a €50 gift voucher.