Purpose and Language
At GKS, WiFi4All & Adhetec we consider the security of our systems, services, and customer data a top priority. Despite our best efforts, vulnerabilities may still exist. We believe that collaboration with security researchers is essential to maintaining a secure digital environment. This Coordinated Vulnerability Disclosure (CVD) Policy explains how security vulnerabilities can be reported responsibly and how we handle such reports.
This policy is published in English to ensure it is accessible to the international security community and not limited to Dutch-speaking researchers.
Scope
This Coordinated Vulnerability Disclosure (CVD) Policy applies to all public-facing systems, applications, websites, networks, and services that are owned, operated, or managed by the following organizations:
- GKS
- WiFi4All
- Adhetec
These organizations share a common vulnerability reporting contact point via security@gks.nl. Only systems and services that fall under the direct responsibility or operational control of the above-mentioned organizations are considered in scope. Systems operated by third parties or external service providers are out of scope, unless explicitly stated otherwise.
Our Commitment
If you comply with this policy, we commit to the following:
- We will respond to your report as quickly as possible with an initial assessment.
- We will not take legal action against you for reporting a vulnerability in good faith and in accordance with this policy.
- We will treat your report as strictly confidential and will not share your personal data with third parties without your consent.
- We will keep you informed about the progress of remediation.
- We will acknowledge your contribution publicly, if you wish, after the issue has been resolved.
- We aim to play an active and coordinated role in any public disclosure after remediation.
Guidelines for Security Researchers
When discovering a vulnerability, we ask you to:
- Report your findings to security@gks.nl
- Provide sufficient information to reproduce the issue. Typically, this includes:
- Affected IP address or URL
- Description of the vulnerability
- Steps to reproduce
- Proof of concept, where applicable
- Avoid exploiting the vulnerability beyond what is strictly necessary to demonstrate its existence.
- Refrain from accessing, modifying, or deleting data belonging to others.
- Not disclose the vulnerability to others until it has been resolved or coordinated with us.
Prohibited Activities
The following actions are not permitted under this policy:
- Denial-of-service or distributed denial-of-service attacks
- Physical security testing
- Social engineering, phishing, or impersonation
- Spam campaigns
- Attacks involving third-party applications or infrastructure
- Any activity that may cause service disruption or data loss
Reporting a Vulnerability
Please submit vulnerability reports via email to:
We aim to:
- Acknowledge receipt within 3 business days, where reasonably possible.
- Provide an initial assessment as soon as reasonably possible.
Due to the complexity, severity, or required coordination with third parties, response times may vary.
Response and Coordination
Upon receiving a report, our security team will:
- Validate the reported vulnerability
- Assess its severity and impact
- Coordinate remediation efforts internally or with relevant suppliers
- Keep the reporter informed of significant progress
- Coordinate any public disclosure after remediation
Recognition
If you would like to be acknowledged for your responsible disclosure, please indicate this in your report. We are happy to credit researchers for their contribution unless anonymity is preferred.
What you do not need to report
The following findings are considered out of scope and generally will not be addressed:
- Social engineering
- (Distributed) Denial of Service
- Physical access testing
- Issues that cannot be reproduced
- Tool-only findings without validation or proof of concept
- Cosmetic or UI-only issues
- User awareness issues (e.g. unattended workstation scenarios)
- Basic fingerprinting or version banners
- Public information in public files or metadata
- Missing security headers without demonstrable impact
- TLS configuration issues without proof of exploitability
- Missing or incomplete SPF, DKIM, or DMARC records
- Third-party hosted services (refer to their own disclosure policies)
- Email addresses found in third-party breaches
- Publicly disclosed vulnerabilities patched within the last 14 days
- Open redirects to valid destinations
- Clickjacking or local content spoofing
- Registered public IP addresses
- Outdated software versions without a working exploit
Known Issues and Accepted Risks
Some vulnerabilities may already be known or accepted as part of a risk-based decision. These issues may not be publicly listed. Reports concerning known or accepted risks may not result in further action.
Legal Safe Harbor
Any activity conducted in good faith and in alignment with this policy will be considered authorized. We will not initiate legal action against researchers who comply with these guidelines.
Policy Updates
This policy may be updated periodically. The latest version will always be published on our website.
Contact
For questions related to this policy, please contact:
