Responsible Disclosure Policy
At bpost we place great importance on the security of our systems and data. Despite the measures we take to optimise our security, issues may still occur. Should you discover a security problem, we have a process in place for you to report it to us in a responsible way. We appreciate your help in improving our systems and protecting our customers.
Which security problems can be reported this way?
This process is intended for reporting suspected vulnerabilities in our products and services – including websites, web-based applications and mobile apps – that can be abused and lead to:
- theft of sensitive data
- unauthorised modification or deletion of sensitive data
- interference with or prevention of access to our services
- disruption of the proper functioning of our products or services
This process is not intended for reporting:
- questions or complaints about the functioning of our products, services, invoicing, etc. For these types of issues, please contact our customer service instead.
- DDoS attacks, brute-force password guessing, social engineering attacks, etc.
- notifications about viruses, phishing mail, spam mail, fraud, etc.
How should the security problems be reported?
- Report the issue by sending an email to firstname.lastname@example.org.
- Write your message in Dutch, French or English.
- Describe the problem in sufficient detail, and include the necessary evidence, such as IP addresses, log entries, screenshots, etc.
- You can also report the suspected vulnerability via the Intigriti secure bug bounty platform where bpost has a responsible disclosure program running.
- You are not required to provide us with contact information. However, in some cases we may want to reach you to ask for further information or to provide feedback. One option here is to provide an anonymous mailbox (e.g. via Gmail or Hotmail).
- Only notify bpost of your findings, and only via this process. Do not publish details about the security issue through other channels. Making the problem known through other channels or the media, whether before or after notifying bpost via this process and even if not all details are provided, will be considered irresponsible behaviour and can lead to the filing of criminal charges.
- Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
- Do not change or delete any data or system settings.
- Handle any data you find in a responsible way: if you can demonstrate that there is a security problem with a small portion, do not go any further.
- Always operate within legal boundaries when identifying potential security issues. Do not demonstrate security vulnerabilities by performing DDoS attacks, brute-force password guessing, social engineering activities, infecting systems with malware, scanning our systems, etc. These actions can cause harm to both bpost and its customers and will therefore be considered and dealt with as targeted attacks. In such cases, bpost cannot guarantee that you will not be prosecuted, since there is a risk that the authorities will take the necessary measures in response to such attacks.
What happens to the reported security problems?
- If you have provided contact information, we will respond to your message as soon as possible.
- Where possible, we may contact you if we require additional information.
- We will do everything possible to resolve any shortcomings as quickly as possible, and we will keep you informed throughout the process.
- Depending on the potentially identified security problem, bpost may decide to grant a reward. The content and scope of a reward will be determined by bpost alone, and any such reward may not be construed as a guarantee of future rewards.
- Acting in accordance with these guidelines ensures that bpost will not file a criminal complaint against you.