Curve Light

Responsible Disclosure

For many organisations, data has become one of the most valuable resources. Loss or misuse of data can therefore lead to potentially major consequences for an organisation. This is why Mail to Pay is committed to the security and protection of its systems and the data processed in them.

If, despite our care and measures, you do find a vulnerability in one of our systems, please let us know. In this way, we can take appropriate measures as soon as possible. Together, we can maintain a high level of security and protection and minimise the possibility of any security breaches.

What are the vulnerabilities to consider?

A weak spot or vulnerability is an error in a digital system, allowing an attacker to gain unauthorised access to systems or information.

As a result, the attacker can, for example, access, modify, destroy, install malware and/or take the data hostage, preventing the user from accessing the information.

How can I report vulnerabilities?

We would like to receive your report via support@mailtopay.nl with a description of the vulnerability, and, where possible, answer the following questions:

  • When did you identify the vulnerability?
  • Where did you identify the vulnerability?
  • For example in one of our products, physical locations and/or devices.
  • How did you find the vulnerability? Which steps/actions led to it?
  • By whom and how could the vulnerability be exploited?
  • What could happen if the vulnerability is exploited?

Additionally, we would like to receive supporting material accompanying your report, such as: screenshots, logs, URLs, IP addresses and information about the operating system, device and browser used. This will provide us with sufficient information to investigate and implement a suitable solution as quickly as possible.

What are the conditions?

Upon detection of a vulnerability, we ask you to:

  • report the vulnerability, as described above, to us, and at no time or in any way publicise this information;
  • responsibly deal with the knowledge of the vulnerability and not to collect more data or take any other action than necessary to make the report;
  • not to exploit the vulnerability and cause damage to and/or interruption of users, organisations, systems, data or services, for example by using attacks on/with physical security, social engineering, distributed denial of service, backdoors, brute force, malware, ransomware, spam, phishing, third party applications, etc;
  • comply with applicable laws and regulations, including privacy laws, and treating the report and related information in accordance with the appropriate level of confidentiality;
  • erase all data obtained from this report and vulnerability immediately upon resolution and confirm the removal to us.

We assume that a report is made in good faith. However, if, during and/or after the investigation of the vulnerability, any doubt arises as to the compliance with the above conditions, Mail to Pay may expand the investigation and, if necessary, take legal action.

Is there a reward for reporting a vulnerability?

No, we do not offer rewards for reporting vulnerabilities.

What happens to my report and my personal information?

Upon receipt of your report, we will assess whether the report contains sufficient information and begin our investigation to resolve the vulnerability as soon as possible. We will keep you informed on the status of your report and its completion via support@mailtopay.nl.

The personal information you provide to us, such as your name, e-mail address and/or telephone number, will only be used in the context of this report. Our privacy statement contains more information about the use of personal data.