NL
At Owello we are committed to upholding the security of our systems and products to the highest standard. A great amount of effort is spent to ensure quality and safety during development and maintenance. Despite this, it is possible that something escapes our attention. We recognize the role that security researchers and the community play in identifying vulnerabilities in systems and would greatly appreciate that any vulnerabilities are reported in a timely manner. Our Responsible Disclosure Policy aims to encourage the responsible reporting of vulnerabilities to ensure the security and privacy of our users and clients.
How to report
Please report to us by emailing our security team at security@yellenge.nl.
Guidelines
• Do not share information about the vulnerability with others until the problem has been solved.
• Provide information about how and when the vulnerability presents itself. Describe, clearly, how the
problem can be reproduced and give information about the used methods and the timestamp of your
research.
• Avoid accessing or altering any data not needed to demonstrate the vulnerability and do not destroy
anything. Do not exploit the vulnerability.
• Although we also take anonymous reports seriously, you can leave your contact details with us so we
can contact you about assessment of the vulnerability and potential follow-up.
• Do not test physical security controls, use social engineering or perform DDOS attacks.
Our Responsible Disclosure Policy isn’t an invitation to try to actively discover vulnerabilities within our
systems.
How does Owello act upon Responsible Disclosure?
When you report a possible vulnerability, our response will be as follows:
• You will receive confirmation from Owello as soon as we get your report.
• Within three days of you receiving confirmation, we will provide a more extensive reaction including
an internal assessment of the report and the expected date of our fix. We will strive to keep you up-to-
date on any progress made.
• Owello will treat your report confidentially and will not share your personal information with any third
parties unless required by law or judicial decision.
• Owello will decide how to make the report public alongside the reporter.
• Owello will, in cooperation with the reporter, decide how to make the vulnerability public or known to
third parties. If the reporter wishes to, we will include their name.
What not to report
This Responsible Disclosure Policy is not meant to submit questions or complaints. It also isn’t intended to be
used for:
• Reporting website outage
• Reporting phishing or email fraud.
• Reporting general fraud or scams
For these kinds of communication, you can contact our support team.
Rewards/bug bounty
To stimulate reporting of vulnerabilities and bugs, Owello has a bug bounty scheme. In case a report helps us in
preventing or fixing a vulnerability we offer appropriate compensation. We will decide whether a report is
eligible and on the amount of remuneration.
Which systems/problems are excluded from a bug bounty?
Not all systems accessible under our brands are under Owello’s direct control. While we also take reports
related to these systems very seriously, we cannot include them under our bug bounty scheme. We also
exclude vulnerabilities that are no direct threat or those that are only reproducible under artificial
circumstances.
Excluded systems
• www.yellenge.nl
• status.yellenge.nl
• log.owello.nl
Excluded types of security problems
• (D)DOS attacks
• Problems concerning self-XSS
• Errors without sensitive information
• Notifications from which the software we use can be derived
• Problems that require the use of severely outdated operating systems, browsers or unverified plugins.
• Problems already known to us.
This policy was drafted using the NCSC’s guideline Leidraad Responsible Disclosure.