Responsible disclosure

Are you a specialist in information security and have you discovered a vulnerability? Please report it to us so that we can take appropriate measures. We are happy to work with you!

Help improve online security

At Menzis, the protection of customer data is paramount. That is why we continuously work on the availability and security of our systems, network, and products. Despite our efforts to secure our systems, they may still contain vulnerabilities.
If you are knowledgeable in the field of information security and have discovered a potential vulnerability, please report it to us so that we can promptly take appropriate measures. We are eager to collaborate with you to better protect our customers and our systems.
Our Responsible Disclosure policy (hereinafter referred to as the RD policy) is not an invitation to actively scan our corporate network for weaknesses. We have taken measures to address this ourselves. If you do so, there is a high chance that our Security Operations Centre (SOC) will investigate it.

Reporting a vulnerability

If you have found a vulnerability, you can email your findings to rd@menzis.nl. Upon receiving your report, it will be handled as follows:

  • You will receive an acknowledgment of receipt within three business days of the report.
  • Within five business days of the acknowledgment, you will receive a response containing an assessment of the report and the expected date of resolution. We strive to keep you informed of the progress in the meantime.
  • Menzis treats your report confidentially and will not share your information with third parties without your permission, except where required by law or a court order.
  • We will jointly determine whether and how the reported problem will be disclosed. Disclosure will only occur after the problem has been resolved. In the disclosure regarding the reported problem, Menzis may, if desired, mention your name as the discoverer.
  • By reporting a vulnerability, you may share personal data with Menzis. Menzis will not retain this data longer than necessary for this specific purpose and will delete it no later than one month after the issue has been resolved.

Guidelines

During your research, you may perform actions that could be considered illegal. If done in good faith and with good intentions, there is no reason for Menzis to file a complaint or claim damages. Therefore, we kindly request that you follow the guidelines below and act responsibly:

  • Do not share the discovered problem with others until it has been resolved, and immediately delete any confidential data obtained through the vulnerability after the vulnerability has been addressed.
  • Provide us with as much information as possible about how and when the vulnerability occurs. Clearly describe how this problem can be reproduced and provide information about the method used and the time of investigation.
  • Handle the knowledge of the security issue responsibly.
  • Do not perform actions that go beyond what is necessary to demonstrate the security issue.
  • Do not abuse the vulnerability by, for example, downloading more data than necessary or accessing, deleting, or modifying third-party data.
  • Share your contact information (email address or phone number) with us so that Menzis can contact you regarding the assessment and progress of the vulnerability's resolution.
  • Do not make any changes to the system.
  • Do not use social engineering to gain access to a system.
  • Try to access the system only when necessary.
  • Do not use brute force techniques to gain access to the systems.
  • Secure your own system as effectively as possible.

What not to report

The email address provided in this RD policy is not intended for:

  • Reporting that our website or any of our services are unavailable.
  • Reporting complaints. These can be reported through the complaints chat.
  • If you have received a fake email (phishing), report it via Menzis' chat.
  • Reporting HTTP security headers-related matters, such as:
  • Strict-Transport-Security
  • X-XSS-Protection
  • Content-Security-Policy
  • Reporting cache purge opportunities
  • Report visibility of Google API keys

Employees of Menzis and its affiliated companies follow the existing internal incident procedure for reporting vulnerabilities.

National Cyber Security Center (NCSC)

This policy is based on the Responsible Disclosure Guideline established by the NCSC of the Ministry of Security and Justice.

Last modified Responsible Disclosure policy: June 2023