Unix-Solutions is committed to maintaining the security of our systems and our clients' data. Recognizing the valuable role that the security research community plays in safeguarding the cyber ecosystem, we encourage responsible disclosure of any potential vulnerabilities discovered in our systems.
This policy applies to any security vulnerabilities discovered within Unix-Solutions' infrastructure, software, or services. It does not authorize the public disclosure of any vulnerabilities without Unix-Solutions' explicit consent.
GUIDELINES FOR RESPONSIBLE DISCLOSURE
Researchers are encouraged to:
- Report vulnerabilities as soon as possible after discovery.
- Avoid accessing, downloading, or modifying data that does not belong to them.
- Refrain from destructive testing, including flooding, spamming, and employing automated tools that generate significant volumes of traffic.
- Keep communications regarding the vulnerability confidential and direct them solely to Unix-Solutions.
- Provide a detailed description of the vulnerability, including steps to reproduce, potential impact, and any other relevant information.
HOW TO REPORT A VULNERABILITY
Vulnerabilities should be reported to Unix-Solutions via email at security@unix-solutions.be.
OUR COMMITMENT
Upon receiving a report of a vulnerability, Unix-Solutions commits to:
- Acknowledge receipt of the report as soon as possible.
- Conduct a thorough investigation and respond promptly.
- Keep the reporter informed of progress.
- Remediate identified vulnerabilities in a timely manner.
- Publicly acknowledge the contributions of researchers who responsibly disclose vulnerabilities, subject to their consent.
LEGAL CONSIDERATIONS
This policy, and any ethical security research activities that are conducted within its context, are subject to, and must comply with the provisions in, the Belgian law concerning the protection of whistleblowers of breaches of Union or national law established within a legal entity in the private sector (wet betreffende de bescherming van melders van inbreuken op het Unie- of nationale recht vastgesteld binnen een juridische entiteit in de private sector).
Unix-Solutions commits to implementing this policy in good faith and not to prosecute civilly or criminally any researcher who complies with its terms.
On the part of the researcher, there must be no fraudulent intent, intent to cause harm, or the desire to use or cause damage to the visited system or its data. This also applies to third-party systems in Belgium or abroad.
If the vulnerability can also affect other organizations in Belgium, the researcher or the responsible organization may nevertheless report this to the Centre for Cyber security Belgium (vulnerabilityreport@cert.be).
In case of doubt about certain conditions of our policy, the researcher must consult our point of contact in advance and obtain their written permission before acting.
PROCESSING OF PERSONAL DATA
Ethical security research does not aim to intentionally process personal data. However, it is possible that the researcher, even accidentally, may need to process personal data in the context of their research into vulnerabilities.
The processing of personal data has a broad meaning and includes in particular the storage, modification, retrieval, consultation, use, or provision of any data concerning an identified or identifiable natural person. The "identifiable" nature of the person does not depend on the mere will to identify by the data processor, but on the possibility to identify the person directly or indirectly based on these data (for example: an email address, identification number, online identifier, IP address, or location data).
Thus, it is possible that the researcher processes personal data in a limited way. In processing such data, the researcher commits to comply with the legal obligations regarding the protection of personal data and the conditions of this policy, in particular:
- The researcher commits to processing personal data only according to the instructions of our organization, as defined in this policy, and exclusively for detecting vulnerabilities in the systems, equipment, or products of our organization. Any processing of personal data for another purpose is excluded.
- The researcher commits to limiting the processing of personal data to what is necessary for detecting vulnerabilities.
- The researcher guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or are bound by an appropriate legal obligation of confidentiality.
- The researcher takes appropriate technical and organizational measures to ensure a level of security appropriate to the risk (e.g., encryption). The researcher declares that they understand the risks associated with the implementation of this policy and that they have the necessary expertise and experience to test the systems, equipment, and products of our organization safely and in accordance with applicable laws and regulations.
- The researcher commits to helping us, as far as possible and considering the nature of the processing and the information they have, in fulfilling our obligations regarding the exercise of the rights of the data subjects, the security of the processing, and any possible impact analysis.
- The researcher commits to inform us as soon as possible after becoming aware of any possible breach related to personal data.
- The researcher may not keep any processed personal data longer than necessary. During this period, the researcher must ensure that these data are kept with a level of security appropriate to the risks.
- After the end of participation in the policy, these data must be immediately deleted.
The researcher may use a third party for their research. They must ensure that this third party is aware of this policy and agrees to comply with the conditions of the policy when providing assistance, including confidentiality and the implementation of appropriate security measures. The researcher acknowledges that they remain fully liable towards our organization if the third party they rely on does not fulfill their data protection obligations.
If the researcher processes personal data stored and/or processed by our organization in a manner that is inconsistent with this policy or for purposes other than detecting potential vulnerabilities in the systems, products, and equipment of our organization, they acknowledge that they will be considered a data controller and will be fully liable for the processing they have carried out in this capacity.
REPORT TEMPLATE
Researchers are encouraged to use this standard report template and provide as much relevant information as possible.
| Field | Details |
|---|---|
| Researcher Name and Last Name (or pseudonym) | |
| Address/Country | |
| Contact details (e-mail, phone, ...) | |
| Description of the vulnerability | |
| Type of vulnerability and assumed criticality (ideally in CVSS) | |
| Performed actions to discover vulnerability (including dates and times) | |
| Tools used to discover vulnerability | |
| IP addresses of affected systems | |
| Personal data involved (if any) and which types | |
| Attachments and screenshots |
POLICY MODIFICATIONS
Unix-Solutions reserves the right to modify this policy at any time without prior notice.
