Responsible Disclosure Statement

At True, we consider the security of our systems to be of utmost importance. Despite our efforts to secure our systems, vulnerabilities may still exist. If you discover a vulnerability in any of our systems, we encourage you to report it promptly so that we can take the necessary measures. We are committed to working with you to enhance the protection of our customers and our systems.

When reporting a vulnerability, please:

  • Send your findings to security@true.nl
  • Refrain from abusing the issue (e.g., downloading excessive data, accessing or modifying third-party data).
  • Avoid sharing the issue with others until it has been resolved, and delete any confidential data obtained through the vulnerability.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties
  • Provide sufficient information to reproduce the problem. Typically, the IP address or URL of the affected system and a description of the vulnerability are adequate, but more details may be necessary for complex vulnerabilities.

Our commitments to you:

  • Response within 5 days with an assessment of the report and an expected resolution date.
  • Refrain from taking legal action if you adhere to our disclosure terms.
  • Treat your report confidentially and avoid sharing your data with third parties without your consent, except where legally required.
  • We will keep you informed about the progress of resolving the issue.
    If desired, credit you as the discoverer in communications about the reported problem.
  • Resolve the issue as quickly as possible.
  • Be involved in any post-resolution publication about the problem.

Known false positives:

When reporting potential vulnerabilities, consider realistic attack scenarios and the security impact of the behavior. Below are common false positives we encounter. The following issues will be regarded as invalid, except in rare circumstances with clear security impact:

  • Fingerprinting/version banner disclosure on general/public services.
  • Disclosure of well-known public files, directories, or non-sensitive information (such as robots.txt).
  • Clickjacking and issues exploitable only through clickjacking.
  • Missing cookie flags on non-sensitive cookies.
  • SPF and DKIM issues on domains other than true.nl.
  • DMARC issues.
  • Missing DNSSEC (implementation in progress).
  • Self-XSS.
  • Same Site Scripting/Localhost DNS record.
  • Problems caused by outdated browser software.
  • Known CVEs are excluded for a reasonable period after the public availability of a patch (usually 30 days).

The above text is an adoptation of the original Responsible Disclosure text by Floor Terra, published with a Creative Commons Attribution 3.0 Unported license. The original text can be found at responsibledisclosure.nl/en.