Responsible Disclosure

At Databalance, we take the security of the digital platforms we manage very seriously. Indeed, effective security is a prerequisite for ensuring that the continuity of both ourselves and our clients’ services can be guaranteed.

Unfortunately, from time to time, vulnerabilities or misconfigurations surface and can cause confidential data to be unintentionally accessed. This is very annoying because cybercriminals actively try to take advantage of these situations. Despite actively looking for these vulnerabilities ourselves, it may happen that we miss one.

Therefore, we would like to hear from you if you find a vulnerability in one of our systems. We can then fix the vulnerability. You may have a chance to win a reward. However, please read the rules below carefully first. Then you will know what to expect from us.

What we expect from you:

  • If you investigate a vulnerability in one of our systems, consider proportionality of attack. If you can demonstrate that a vulnerability could potentially cause our network to go offline, you do not have to actually take our networks offline.
  • That proportionality also plays a role in demonstrating the vulnerability itself. You don’t view or change more data than is strictly necessary to demonstrate the vulnerability.
  • Report a vulnerability in one of our systems as soon as possible by sending an e-mail to security@databalance.eu. Preferably you send the report encrypted with our public PGP key. You provide the report with sufficient information to enable us to reproduce and investigate the problem.
  • You do not share the knowledge about the vulnerability with others until we have resolved the vulnerability and the reasonable resolution period is well past.
  • You delete all confidential data obtained in your research immediately after we resolve the vulnerability.

If you follow the above rules, then we will follow the rules below:

  • We will respond to the content of your report within five days, including the expected resolution time. Of course, even after that, we will keep you regularly informed of the progress in resolving the problem.
  • We resolve the vulnerability as quickly as possible. Here again, proportionality plays an important role: the time frame for resolving a vulnerability depends on several factors, including the severity and complexity of the vulnerability.
  • If you adhere to the above expectations, we will not take any legal action against you regarding your report.
  • As a thank you for your help in better protecting our systems, we would like to reward you for reporting a vulnerability previously unknown to us. The reward depends on the type of report, the systems it relates to (for example, we can do little if it relates to an application of one of our customers) and the severity of the vulnerability and the quality of the report.
  • Should you find a vulnerability in software that we use but is made by another party and that vulnerability falls under a bug bounty program, any bounty is obviously yours.

Our PGP key can be found at this link.

Back to top

Managed IT for sustainable growth.
Databalance
Databalance