Vulnerability reporting centre

Responsible disclosure policy

Every day, specialists at Kempen work hard to improve our systems and processes to ensure that client data are protected against misuse, and to safeguard the availability of our services. However, we have to face the fact that vulnerabilities may occur even in our systems. We would be very grateful if we could enlist your help to detect such vulnerabilities.

Who can report a vulnerability?

Anyone who discovers a possible weak spot in the Kempen systems can report a vulnerability. 

What is the scope?

The responsible disclosure programme covers only the following domains (and all underlying subdomains): 

  • kempen.com
Which vulnerabilities can you report?

You can report problems related to the security of services that Kempen offers online. Examples of vulnerabilities that can be reported include: 

  •  Remote Code execution
  • Cross Site Scripting (XSS) vulnerabilities
  • Cross Site Request Forgery (CSRF) vulnerabilities 
  • SQL injection vulnerabilities 
  • Encryption vulnerabilities 
  • Unauthorized access to data
  • Exclusions
  • All notifications without a clear report with evidence of possible exploitation
  • Issues with respect to SPF/DKIM/DMARC records
  • Fingerprinting/version banner disclosure on common/public services
  • Publicly accessible files and directories with non-sensitive information (e.g., robots.txt)
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Cross Site Request Forgery (CSRF) vulnerabilities on static pages and logout functionality 
  • Brute force attacks against ‘Forgot password’ pages 
  • Redirection from HTTP to HTTPS
  • HTTP OPTIONS enabled
  • HostHeader Injection
  • Missing HTTP Security Headers such as Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • HTML does not specify charset
  • HTML uses unrecognized charset
  • Lack of ‘Secure’/‘HTTPOnly’ flags on non-sensitive cookies
  • Clickjacking-related issues
  • User enumeration on websites that do not process online payment transactions
  • Possibly outdated server or application versions (of external parties) without evidence that these versions are vulnerable and without proof of operation 
  • Reports of unsafe SSL/TLS protocols and other misconfigurations
  • Generic vulnerabilities related to software or protocols that do not fall under the control of Kempen
  • Distributed Denial of Service (DDoS) attacks
  • Spam or Social Engineering techniques
  • Reports of regular scans, such as port scanners
How do you make a report?

Have you discovered a vulnerability?

1. Please contact us as soon as possible by sending an email message to: responsibledisclosure@vanlanschotkempen.com
2. Please describe the security problem you have discovered in as much detail as possible. Your report will be read by specialists, so you can use technical terminology and be specific wherever necessary.
3. You are free to include your contact details (name and possibly your telephone number) or to make an anonymous report. 

What will we do with your report?

A team of security experts will investigate your report and will provide an initial response within two working days. In the meantime, please keep the issue confidential, discuss it with our experts, and give them time to resolve the problem. We will inform you of our assessment of your report, and we will let you know whether and when we will apply a solution. 

Reward

As a token of our gratitude for your assistance, we offer a reward for every report of a vulnerability that we are actually able to resolve or that leads to a change in our services. Kempen will determine, at its discretion, whether your report qualifies for a reward and what would be commensurate. In the event that your report qualifies, we will need your personal particulars in order to effect payment. 

Please note: You are free to make an anonymous report. It is important to note, however, that in this event, we will not be able to make arrangements with you regarding the follow-up of your report, any possible reward, or whether or not charges will be pressed. (Please refer to ‘What are the rules?’)

What are the rules?

While investigating the vulnerability you have discovered, you may have inadvertently committed a criminal offence. If you act in good faith, with integrity, and in careful compliance with the rules as stated below, the bank will have no reason to press charges. It is, therefore, important that you abide by the following rules when investigating a possible vulnerability: 

  • Please make sure that you do not cause any damage with the vulnerability you have discovered. Under no circumstances may your actions lead to a deliberate interruption of the services or to disclosure of bank or client data.
  • Please refrain from using social engineering to gain access to a system.
  • Do not use automated scanners to detect vulnerabilities (such as Burp Suite Scanner, Acunetix, etc.).
  • Do not install a backdoor in an information system so that you can subsequently demonstrate its vulnerability, as this may cause additional damage as well as unnecessary security risks.
  • Limit the use of a vulnerability to an absolute minimum. Do only what is necessary to establish the vulnerability.
  • Do not change or remove any data from the system and exercise maximum restraint in copying data (if one single record will suffice to demonstrate the problem, stop there and do not continue).
  • Do not make any system changes.
  • Do not repeatedly try to gain access to the system. Once you have gained access, do not share it with others.
  • Do not use brute force to gain access to systems. After all, repeatedly trying passwords has very little to do with detecting vulnerabilities.
  • Only the first person to report a vulnerability will be eligible to receive a reward.
Your privacy

If you would like to be informed on the follow-up of your report, you can choose to provide us with your contact details (name, email address, possibly your telephone number). We will not disclose your identity to any third party without your prior consent, nor will we use your personal details for any purpose other than to process your report appropriately, unless a legal obligation mandates disclosure of that information. We will protect your personal data in compliance with the guidelines as described in the Personal Data Protection Act (WBP). 

Miscellaneous terms and conditions

All matters related to internet security and privacy are governed by Dutch law. We can only accept reports that are drawn up in Dutch or English.