Vulnerability Disclosure Statement
Beveiliging
Vulnerability Disclosure Statement
Last updated: 8 April 2024
At Viduet Health we take the safety and security of our users very seriously. Not only are we ISO 27001 and NEN 7510 certified; ensuring these values are part of our company culture. We encourage vulnerability testing by security researchers and customers, with responsible reporting to Viduet Health.
At this page, https://viduet.eu/security, we provide guidelines and other information that we ask to follow when reporting vulnerability findings.
Reporting Procedure
- Please send your submissions to security@viduet.eu and use our public PGP key to encrypt such submissions.
- Please include a reference or advisory number and sufficient contact information, so that we can get in touch with you.
- Please provide as many technical details as you can, including URLs you tested, relevant technical infrastructure and network configuration, date and time of testing, if possible your IP address from which you tested.
- Please provide all information needed to reproduce the issue on our side.
- Please clarify the impact of your finding, specific to our situation. If the finding is just a generic one without specific impact for us, we probably will not consider it a vulnerability.
- If you have proof that the vulnerability has been exploited, please provide that also PGP-encrypted.
- If you communicate vulnerability information to vulnerability coordinators or other parties, please advise us and provide their tracking number if possible.
Our Assessment and Action
- We will acknowledge your report within three business days.
- We will assign and provide a unique tracking number.
- We will keep you informed of the status of your report.
- We will:
- Verify the reported vulnerability
- Work on a resolution
- Verify the effectiveness of the resolution
- Release the resolution to production
- Internally document and share lessons learned
Important
- Do not include sensitive information, such as patient information, in any screen shots or other materials you provide us as part of your report.
- Please use demo/test environments to perform vulnerability testing.
- Please don’t DDOS us.
- Don’t take advantage of the vulnerability or problem you have discovered, for example by downloading more than the absolute minimum of data needed to demonstrate the problem, or by deleting or modifying any data. For example, instead of sending files themselves, you could send directory listings.
- If requested we will provide credit to researchers by listing them on our hall of honors.