Security statement

Krafters attaches great importance to ensuring the availability, integrity and confidentiality of our systems and strives for fully transparent security procedures. These are described below.

You can also find more information about how we handle your data in our privacy policy.

Found a vulnerability in a Krafters system?

Despite our care for information security, a technical vulnerability may occur. If you find a vulnerability in a Krafters system, you can report it to us. Making a report is called Coordinated Vulnerability Disclosure (CVD).

Updates to this policy

Krafters may update this security policy by placing a new version on this website; for the most recent version of our policy please visit our website.

Contact

If you wish to contact Krafters about any aspect of our security policy, use this email address: info@krafters.nl.

Report a vulnerability

Found a vulnerability in a Krafters system?

Krafters attaches great importance to ensuring the availability, integrity and confidentiality of our digital systems. Despite our care for information security, a technical vulnerability may occur. If you find a vulnerability in a Krafters system, you can report it to us. Making a report is called Coordinated Vulnerability Disclosure (CVD). On this page we are happy to explain how this works.

For which vulnerabilities can you make a CVD report?

You can report vulnerabilities when they pose a risk to the security of our systems. Examples include vulnerabilities that make it possible to bypass an authentication mechanism or gain access to confidential data in an unintended way. Not every deviation in a system is a vulnerability. We therefore ask you not to make a CVD report to us for the following deviations:

  • A deviation that has no impact on the availability, integrity or confidentiality of confidential information;

  • The availability of version information (for example an info.php file). A possible exception is when the version information shows that the system uses software with known vulnerabilities;

  • The absence of HTTP security headers, unless this absence demonstrably leads to a security problem.

If you are unsure whether the vulnerability you found falls under one of the above exceptions, you may of course still report it to us.

How do you make a CVD report to Krafters?

  • Email your findings to info@krafters.nl;

  • Send the CVD report as soon as possible after discovering the vulnerability;

  • Ensure the CVD report is in Dutch or English;

  • Ensure your CVD report contains the following information:

    • A detailed description of the vulnerability, optionally including CVE number and/or EDB-ID;

    • The IP address or URL of the vulnerable system;

    • How the problem can be reproduced:

      • The steps taken to identify the vulnerability;

      • Objects that play a role (such as input fields);

      • Screenshots are appreciated.

  • Please leave an email address so we can contact you if we have questions.

What should you not do?

  • Placing malware or other software that could harm the availability, integrity and/or confidentiality of our systems;

  • Abusing the vulnerability by performing actions that go beyond what is necessary to demonstrate the security problem, for example by downloading, copying, modifying or deleting data and viewing third-party data;

  • Repeatedly gaining access to our systems or sharing the access and/or information with others;

  • Keeping confidential data obtained when demonstrating the vulnerability — delete such data immediately after confirmation of receipt of the CVD report;

  • The following attack techniques are not allowed:

    • Attack techniques that could negatively disrupt and affect normal system operation, including "(Distributed) Denial of Service" attacks, spam and buffer overflow attempts;

    • Bypassing authentication mechanisms through "Bruteforce", "Dictionary" and "Social engineering" attacks;

  • Attacks on third-party applications.

The principles of our CVD policy

  • When you make the CVD report according to the procedure above, we will not attach any legal consequences to your actions during the identification of the vulnerability;

  • We treat your CVD report confidentially and do not share personal data with third parties without your permission, unless necessary to comply with legal obligations;

  • We will send you a confirmation of receipt within one working day;

  • In any communication about the reported issue we will, if desired, mention your name as the discoverer. We will only mention your name with your permission. Reporting under a pseudonym is possible.