Responsible Disclosure Policy
Lydian considers the security of our systems and data a top priority. No matter how much effort we put into the security of our systems and data, there can still be vulnerabilities present. Should you discover a security vulnerability, we ask you to report the vulnerability to us through a process of coordinated disclosure of vulnerabilities, also known as responsible disclosure. By doing this, we can safely take steps to address the security vulnerability as quickly as possible to improve the security of our systems and data.
1 WHICH SECURITY VULNERABILITIES CAN BE REPORTED?
The responsible disclosure process is intended for reporting suspected vulnerabilities in our systems, including the Lydian website, that can be abused and/or lead to (amongst others):
- The theft of (personal or non-personal) data;
- Unauthorised modification or deletion of data;
- Interruption or modification of access to our systems;
- Disruption of the proper functioning of our systems; or
The responsible disclosure process is not intended for reporting:
- Questions or complaints about the functioning of our systems, legal services, invoices etc.; and
- Notifications about viruses, phishing emails, email fraud, etc.
2 VULNERABILITY DISCLOSURE PROCESS & RULES OF ENGAGEMENT
Unlike before, hacking in the context of a necessary disclosure of a vulnerability is not considered a crime as long as four cumulative conditions are met. First, the vulnerability reporter must have acted without fraudulent intent or intent to harm. Secondly, they must inform Lydian as soon as possible that a vulnerability may have been discovered. Thirdly, when verifying the existence of a vulnerability, proportionality is key. If the problem has been demonstrated on a small scale, there is no need to look any further. Lastly, information about the discovered vulnerability should not be made public without the prior consent of Lydian.
- Please report all security vulnerabilities to firstname.lastname@example.org;
- Please use an appropriately encrypted email message to prevent this critical information from falling into the wrong hands;
- Describe the problem in sufficient detail, and include any necessary evidence;
- You are not required to provide us with your contact information, however you could provide us with an email address leading to an anonymous mailbox;
- Only notify Lydian of your findings and only via this process. Do not publish details about the security issue through other channels. Making the vulnerability known through other channels or the media, whether before or after notifying Lydian via this process, will be considered irresponsible disclosure and will lead to the filing of criminal charges;
- Do not exploit the identified vulnerability. Only collect the information necessary to demonstrate its existence. Do not change or delete any data or system settings;
- Always operate within legal boundaries when identifying potential security vulnerabilities. DDoS attacks, brute-force password guessing, social engineering activities, infecting systems with malware/computer viruses, scanning systems and networks etc. can cause harm to Lydian, our staff and our clients and will therefore be considered and treated as targeted attacks. In these and other cases, Lydian will not guarantee that you will not be prosecuted since there is a risk that the authorities will take the necessary measures in response to such attacks. In any case, in those circumstances Lydian will also consider filing criminal charges.
3 WHAT HAPPENS TO REPORTED SECURITY VULNERABILITIES?
- If you have provided any contact information, we will respond to your message as soon as possible;
- Where possible, we may contact you if we require additional information;
- We will do everything possible to resolve any shortcomings as quickly as possible, and we will keep you informed throughout the process (if contact information was provided);
- In any case, Lydian will never grant rewards for any discovered vulnerabilities.
4 FURTHER INFORMATION
If you have any questions or remarks, please contact us through email@example.com.
In case of doubt about the applicability of this Policy, please contact us first via the above email address.
Lydian reserves the right to change the content of this Policy at any time, or to terminate the Policy.
Last updated: 1 August 2023