iDEAL Coordinated Vulnerability Disclosure
Currence iDEAL places great importance on the security of its systems. Despite our diligence in securing them, vulnerabilities may still occur.
If you discover a vulnerability in one of our systems, we would appreciate it if you could inform us, so we can take appropriate measures as quickly as possible. We are keen to work with you to better protect our customers and systems.
We kindly request the following:
- Please send your findings to security@ideal.nl
- Do not exploit the issue, for example, by downloading more data than necessary to demonstrate the vulnerability, or by viewing, deleting, or modifying third-party data.
- Do not share the issue with others until it has been resolved, and delete any confidential information obtained through the vulnerability immediately after the breach has been fixed.
- Do not use physical attacks, social engineering, distributed denial of service (DDoS), spam, or third-party applications.
- Provide enough information to reproduce the issue, so we can resolve it promptly. Usually, the IP address or URL of the affected system and a description of the vulnerability suffice, but more complex vulnerabilities may require additional information.
Our commitments:
- We will respond to your report within two working days with our assessment and an estimated date for resolving the issue.
- If you adhere to the above conditions, we will not take legal action against you regarding the report.
- We will treat your report confidentially and will not share your personal data with third parties without your permission, unless it is necessary to comply with a legal obligation. You may also report under a pseudonym.
- We will keep you informed of the progress in resolving the issue.
- In our communication about the reported issue, we will credit you as the discoverer, should you wish us to do so.
- As a token of our appreciation, we offer a (symbolic) reward for each relevant report of a security issue that was previously unknown to us. The reward is determined based on the severity of the breach and the quality of the report.
We strive to resolve all issues as quickly as possible and would like to be involved in any publication about the problem once it has been resolved.