Coordinated Vulnerability Disclosure (CVD) policy

Coordinated Vulnerability Disclosure

First Lawyers considers the security of its systems important. Despite our concern for the security of our systems, there may still be a weak spot.

A weak spot can be discovered accidentally. It may also have been deliberately sought. Our coordinated vulnerability disclosure policy is not intended as an invitation to extensively scan our systems for weaknesses. We continuously monitor our systems for weaknesses and a report could lead to unnecessary work and costs. For that reason, we do not call for active hacking attempts. However, as soon as you find vulnerabilities or weak spots, we would appreciate it if you informed us as soon as possible.

We would like to hear from you

Your signal gives us the opportunity to immediately take appropriate, additional and sufficient management and security measures, so that we can protect the data of our clients and our employees and guarantee the confidentiality, reliability and availability of the data.

We would like to collaborate with you and build a lasting relationship with you.

We use the MYOBI Trust Network.

We ask you:

  • Send us your findings via the MYOBI website. Use the link https://myobi.eu/nl/vertrouwensnetwerk/coordinated-vulnerability-disclosure/kwetsbaarheid-melden-cvd/
  • Register with MYOBI, start the CVD script and inform us safely about the vulnerability, if desired, your analysis of the possible impact on our business operations and your advice on how to remove the vulnerability;
  • Not to abuse the problem by, for example, downloading more data than is necessary to demonstrate the vulnerability or to view, delete or modify third-party data;
  • Not sharing the vulnerability with others until it is resolved and deleting any confidential data obtained through the vulnerability immediately after resolving it;
  • Not to use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications; and
  • Provide sufficient information to reproduce the vulnerability so that we can resolve it as quickly as possible. Typically, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more complex vulnerabilities may require more.

What we promise:

  • We will acknowledge your report within one day and respond to your report within two days with our assessment of the report and an expected date for a resolution;
  • If you have complied with the above conditions, we will in principle not report you to the police or take any other legal action against you;
  • We will treat your report confidentially and will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
  • We will keep you informed of the progress of solving the problem;
  • In reporting about the reported problem, we will, if you wish, mention your name as the discoverer; and
  • As a thank you for your help, we offer a reward for every relevant report of a security problem that is not yet known to us. We determine the size of the reward based on the severity of the leak and the quality of the report.

Finally

We strive to resolve all weaknesses in the management and security measures taken as quickly as possible and we would like to be involved in any publication about the problem after it has been resolved.