Coordinated Vulnerability Disclosure

At ITM, we consider the security of our systems to be of utmost importance. Despite our efforts to secure our systems, vulnerabilities may still occur.

If you have identified a vulnerability in one of our systems, we would appreciate it if you could inform us so that we can take appropriate measures as quickly as possible.

We are happy to work with you to better protect our stakeholders and systems.

What we ask of you

If you have found a vulnerability in one of ITM’s systems, we ask you to:

• Report the vulnerability as soon as possible after discovery via informatica@itg.be. Please encrypt your email to prevent the information from falling into the wrong hands. Learn how to do this in Outlook or Gmail.

• Provide sufficient information to reproduce the vulnerability so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more information may be required for complex cases.

• Provide your contact details so that we can contact you and work together towards a secure resolution. Please include at least your name, email address and/or phone number. Reporting under a pseudonym is possible, but please ensure that we can contact you if we have additional questions.

• Confirm that you have acted and will continue to act in accordance with this Responsible Disclosure Policy.

Rules you must follow

• Do not disclose the vulnerability publicly until we have been able to resolve it. See below regarding possible publication afterwards.

• Do not exploit the vulnerability by unnecessarily copying, deleting, modifying or accessing data, or by downloading more data than necessary to demonstrate the vulnerability.

• Do not perform the following actions:

  • Installing malware (virus, worm, Trojan horse, etc.).

  • Copying, modifying or deleting data in a system.

  • Making changes to the system.

  • Repeatedly gaining access to the system or sharing access with others.

  • Using automated scanning tools.

  • Using so-called brute force techniques to gain access to systems.

  • Using denial-of-service attacks or social engineering (phishing, vishing, spam, etc.).

• Do not use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.

• Immediately delete any data obtained through the vulnerability after reporting it.

• Do not perform any actions that may affect the proper functioning of the system, in terms of availability, performance, confidentiality or data integrity.

Activities under this Responsible Disclosure Policy must be limited to testing for potential vulnerabilities and sharing this information with ITM.

What we promise

• We will respond within a reasonable timeframe with our assessment of your report and an expected timeline for resolution.

• If you have complied with the above conditions and have not committed any other violations, we will not take legal action against you.

• We will treat your report confidentially and will not share your personal data with third parties without your consent, unless required to comply with a legal obligation. Reporting under a pseudonym is possible.

• We will keep you informed about the progress of resolving the issue.

• In any ITM communication regarding the reported issue, we will acknowledge you as the discoverer if you wish.

• We aim to resolve all issues within a reasonable timeframe.

• We reserve the right to disregard reports of low quality.

If in doubt about the applicability of this policy, please contact us first via this email address to request explicit permission.

We reserve the right to amend or terminate this policy at any time.

This text is a derivative work of 'Responsible Disclosure' by Floor Terra, used under a Creative Commons Attribution 4.0 International license.