Voldoet aan de geplande AOV-plicht Lees nu

icon-bowlingBereken je premieAansprakelijkheid
icon-alarmBereken je premieArbeidsongeschiktheid

Vulnerability Disclosure Policy

Insify takes the security of our systems and the protection of our customers' data seriously. We welcome responsible security research conducted in good faith and in accordance with this policy.

Reporting a Vulnerability

Email: security@insify.io Language: English

If you need to share highly sensitive details, request a secure channel in your initial email and we will arrange one.

Your Report Should Include

  • A description of the vulnerability and its potential impact

  • Steps to reproduce (proof-of-concept, screenshots, or logs)

  • The affected system(s) or URL(s)

  • Your contact information

Do not include customer data, credentials, or personal data in your report.

Scope

In scope:

  • Production web applications and APIs operated by Insify

  • Authentication and authorization systems

  • Customer-facing portals and dashboards

Out of scope:

  • Third-party services we integrate with (report to them directly)

  • Social engineering or phishing of our employees

  • Physical security

  • Denial-of-service testing

  • Findings from automated scanning tools without a demonstrated, validated impact

  • Email configuration issues (SPF, DKIM, DMARC) unless you can demonstrate a concrete, exploitable attack

  • Missing HTTP security headers without a demonstrated exploit

Reports that fall outside this scope may not receive a response.

Rules of Engagement

You may:

  • Test our in-scope systems for vulnerabilities

  • Use the minimum access needed to demonstrate the issue

You must not:

  • Access, copy, modify, or delete data belonging to other users

  • Degrade service availability

  • Place backdoors or persistent access mechanisms

  • Use the vulnerability beyond what is necessary to demonstrate it

  • Disclose the vulnerability to third parties before we have resolved it

Safe Harbor

If you conduct research in good faith and comply with this policy, Insify will:

  • Not initiate legal proceedings against you under Dutch criminal law or any other applicable law

  • Not file a complaint with law enforcement regarding your research

  • Not pursue civil claims related to your research

Any personal data encountered during research must not be copied, stored, or disclosed, in accordance with the GDPR.

What Happens After You Report

We will review your report and follow up if we need additional information or once the issue is resolved. We prioritise reports based on severity and exploitability.

We do not guarantee a response to reports that fall outside the defined scope.

Recognition

We acknowledge researchers who report valid, in-scope vulnerabilities (with your consent). We do not currently operate a paid bug bounty program.