Name/Designation: Co-Dex.eu BVBA
Address/registered office: Albert I-laan 23 in 8920 Langemark-Poelkapelle
Registration number at the Crossroads Bank for Enterprises (CBE): BE 0693.665.707
Represented by: [person authorized to legally represent the organization] Wim Barthier
Hereinafter referred to as the "Organization".
In our concern to improve the performance and security of our network and information systems, we have chosen to implement a coordinated vulnerability disclosure policy. This allows participants, with good intentions, to detect potential vulnerabilities in our organization's systems, equipment and products or to provide us with any discovered information about a vulnerability.
However, access to our IT systems and equipment is granted solely for the purpose of improving their security and informing us of existing vulnerabilities, in strict compliance with the other conditions set out in this document.
Our policy concerns security vulnerabilities that may be exploited by third parties or that may disrupt the proper functioning of our products, services, network or information systems.
The participant is also authorized to enter or attempt to enter computer data into our computer system, subject to the purposes and conditions of this policy.
The list of products, services or websites within the scope:
The list of products explicitly excluded from the scope of this policy:
Systems that rely on third parties are outside the scope of this policy unless these third parties explicitly agree to these rules in advance.
The participant undertakes to strictly observe the principle of proportionality in all its activities, i.e. not to disrupt the availability of the services provided by the system and not to exploit the vulnerability beyond what is strictly necessary to demonstrate the security problem. Its attitude must remain proportionate: if the security problem has been demonstrated on a small scale, no further action should be taken.
The following actions are not allowed for the participant:
Under no circumstances may the participant share or distribute information collected under our policy to third parties without our prior and express approval.
It is also not permitted to communicate computer data, communication data or personal data to third parties or to distribute them to third parties.
Our policy is not intended to enable the intentional disclosure of the contents of computer data, communications data or personal data and such disclosure may only occur incidentally in the context of detecting vulnerabilities.
However, our organization can provide information about identified vulnerabilities to the Belgian Cybersecurity Center (CERT.be service - cert@cert.be ) and inform this center about any organizations that may be dealing with the same vulnerabilities.
If the participant seeks assistance from a third party to conduct his research, he should ensure that the third party is aware of this policy in advance and agrees to abide by the terms of the policy, including confidentiality, when providing assistance.
Our organization undertakes to implement this policy in good faith and not to prosecute, either civilly or criminally, any participant who strictly complies with its terms.
There must be no fraudulent intent, intention to harm, or intention on the part of the participant to use or cause damage to the visited system or its data.
In case of doubt about certain terms of our policy, the participant must consult our point of contact in advance and have a written answer before acting.
A coordinated disclosure policy does not aim primarily and intentionally to process personal data[1]. Unless it is necessary to prove the existence of a vulnerability, the participant may not access, retrieve or store personal data.
However, it is possible that the participant, even by chance, may gain access to personal data stored, processed or transferred in the computer system concerned. It may also be necessary for the participant to temporarily consult, retrieve or use personal data in the context of detecting vulnerabilities. In this case, the participant must notify the data protection officer of our organization ( wim@co-dex.be ).
When processing such data, the participant undertakes to comply with the legal obligations regarding the protection of personal data and the terms of this policy.
Processing personal data for purposes other than detecting vulnerabilities of systems, equipment or products of our organization is excluded.
The participant may not retain any processed personal data for longer than necessary. During this period, the participant must ensure that the data is retained with a guarantee of a level of security appropriate to the risks (preferably encrypted). After the end of participation in the policy, this data must be deleted immediately.
Finally, the participant must inform us of any possible loss of personal data as soon as possible after becoming aware of it.
If possible, please also add the necessary HTTP headers so that analysis of the vulnerability becomes easier to determine what effect your found vulnerability has on our information systems.
This information can preferably be provided in an HTTP header field labeled "x-bugbounty" and referenced by your email address. You are of course free to do so, but it will make for a more efficient analysis of the finding. As well as for us to distinguish between benign and malicious manipulations.
Our organization commits to award a reward to the participant who identifies a vulnerability that has not yet been reported to our points of contact:
[1] European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR General Data Protection Regulation).
You should send the discovered information exclusively to the following email address: wim@co-dex.be with the subject "VULNERABILITY REPORT".
You can also contact the department or person responsible for the policy during office hours on the following telephone number(s): +32 47 39 33 43 0 .
Please send us the related information as soon as possible after your discovery.
Please provide us with enough information so that we can reproduce the problem and resolve it as quickly as possible.
We request that you provide us with at least the following relevant information (in Dutch, French, German or English):
Purpose: to identify you
Purpose: to contact you
Objective: to describe the vulnerability
Objective: Identify vulnerability type
Objective: To simulate the vulnerability more accurately:
Purpose: Determine legitimate operations and others: to be able to distinguish between your legitimate operations and possibly malicious other activity
Purpose: complete information
Objective: To document and demonstrate the vulnerability
Objective: determine risk of vulnerability
The participant undertakes to provide the information discovered about any vulnerabilities as soon as possible to the point of contact or to the coordinator mentioned in point 3 a) of this policy. The participant must use the mentioned secure means of communication.
Our organization undertakes, upon receipt of a message, to send the participant an acknowledgement of receipt within a reasonable period [e.g. within max. 7 working days], with its internal reference, a reminder of its obligation of confidentiality and the next steps of the procedure.
If he does not receive an acknowledgement of receipt within a reasonable period, the participant may, where appropriate, contact Wim Barthier ( wim@co-dex.be ), so that this centre can contact the appropriate persons within the responsible organisation.
The parties undertake to do everything in their power to ensure permanent and effective communication. The information provided by the participant can indeed be very useful in identifying the vulnerability and finding a solution.
If, after a reasonable period of time, neither party nor the designated coordinator responds, the parties can always call on the Wim Barthier ( wim@co-dex.be ) as default coordinator.
During the investigation phase, our organization will reproduce the environment and the behavior observed in order to verify the information provided.
Our organization undertakes to keep the participant regularly informed of the results of the investigation and of the follow-up given to his report.
During this process, the parties will ensure that they link to similar or related reports, assess the risk and severity of the vulnerability, and identify any other affected products or systems.
The disclosure policy aims to enable the development of a solution to eliminate the vulnerability of the IT system before damage is done.
To the extent possible and taking into account the costs and existing knowledge, our organization will try to work out a solution as quickly as possible, depending on the seriousness of the risks faced by the users of the systems involved.
In this phase, our organization (or our service provider) undertakes to perform positive tests on the one hand to verify that the solution is working correctly and negative tests on the other hand to ensure that the solution does not disrupt the proper functioning of the other existing functionalities.
Our organization will decide, in consultation with the participant, in what way the existence of the vulnerability will be published. At the same time as this announcement, a security announcement will be published on our website (or via e-mail), in a system update message for the users.
Before any publication, our organisation will provide the relevant information to the CCB ( cert@cert.be ) and will grant a deadline for essential service providers in Belgium [1] to be informed of this vulnerability.
Our organization also undertakes to collect user comments on the application of the solution and to take the necessary corrective actions to resolve any problems caused by the solution, including compatibility with other products or services.
[1] Providers and authorities identified by the CCB.
Belgian law applies to disputes relating to the implementation of this policy.
The CCB may act as a mediator between our organization and the participant for disputes relating to the implementation of this policy.
The rules of the policy are applicable from 20-01-2025 until they are changed or revoked by our organization. These changes or revocations will be announced on our organization's website and will automatically apply 30 days after the announcement.
No items in scope