Report vulnerability

The security of our systems, and above all the data of our customers and partners, is of great importance to us. Despite our concern for the security of our systems, it is possible that there is a weak spot. If you have found a weak spot in one of our systems, we would like to hear about it so that we can take measures as quickly as possible. We would like to work with you to better protect our customers and our systems.

By reporting a vulnerability to Mett, you agree to our Code of Conduct. We appreciate your cooperation in making our services safer and look forward to your constructive contributions.

We ask the following

Responsible Reporting

  • Use secure channels: Report vulnerabilities only via security@mett.nl.

  • Act ethically: Do not carry out attacks on our systems. Limit your actions to what is strictly necessary to demonstrate the vulnerability and avoid causing damage to data or systems.

  • Speed: Submit the report as soon as possible after discovering the vulnerability.

  • Protect confidential information: Do not use, share, or disclose any personal or confidential information obtained during your investigation.

Vulnerability Reporting Guidelines

  • Completeness: Provide sufficient information to reproduce the issue so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is enough, but more may be required for more complex vulnerabilities.

  • Carefulness: Test the vulnerability only in your own account or in a test environment. Do not perform tests that could disrupt the availability of the service (e.g., DoS attacks).

  • Communication: Be clear and thorough in your communication. Provide as much information as possible to allow us to reproduce the vulnerability.

Respect and Professionalism

  • Respectful behavior: We ask that you always communicate with our team in a respectful and professional manner. If not we we will give you two warnings and eventually add you on a black list.

  • Responsibility: We have the right to investigate and verify reports and to take appropriate measures to address vulnerabilities. We ask for your patience and trust during this process.

Compliance with Laws

  • Legal compliance: Ensure that your actions comply with applicable laws and regulations. We do not accept reports resulting from activities that violate the law.

What we promise

Response and Expectations

  • Timely confirmation: We will confirm receipt of your report as soon as possible.

  • Respons: We will respond to your report as soon as possible, no later than 5 business days *, we will prioritize your report first. Based on the priority we will handle your report.

  • Collaboration: We may request additional information. We appreciate your cooperation in properly addressing the vulnerability. We will keep you informed about the progress of resolving the issue.

  • Confidentiality: We treats all reports confidentially and will not share your report without your permission unless required by law.

Priorities

  • Low/informative: We wil conduct research and send a conclusion within three months. If this is a new issue we will reward you within this timespan.*

  • Normal: We wil conduct research and send a conclusion within 4 weeks. If this is a new issue we will reward you within this timespan.*

  • High: We wil conduct research and send a conclusion within 2 weeks. If this is a new issue we will reward you within 2 weeks.*

  • Urgent: We wil conduct research and send a conclusion within 2 business days. If this is a new issue we will reward you within 5 business days.*

* The processing of vulnerabilities can take longer on holidays.

Reward

  • Reward expectations: As a token of appreciation for your assistance, we offer a reward for every report of aof a new security issue. We determine the size of the reward on the basis of the severity of the leak and the quality of the report with a minimum of € 10,- (payment within 5 working days AFTER CONFIRMATION AND CONDUCT OF A REPORT via paypal F&F).