Secure: We are committed to implement and monitor our security based on leading standards. We constantly improve our measures to protect our customers’ and Cybersprint’s data from the latest threats. Our team consists of expert security professionals and we actively protect ourselves as we protect our customers. Our leading principle is practice what you preach.
We are ISO 27001 certified and are regularly audited by an independent external auditor.
We comply with the standards of the Dutch government and financial industry like DUO and NIST.
Data privacy principles
Decisions made by Cybersprint with regards to processing of personal data stems from the principles stipulated in the GDPR. These foundational principles support Cybersprint’s aim to make the right decisions to protect data subjects and personal data.
We aim to process all our collected data fairly and in a dignified manner, in respect to the trust bestowed upon us and in a faith way as meant in the GDPR.
We aim to maintain an open & transparent approach of processing personal data.
We comply with the jurisdictional legislative frameworks regarding data protection, such as the GDPR for the EU. We always aim to maintain a lawful and fair approach to processing personal data in good practice.
We only collect personal data for specific purposes and only for as long as necessary to comply said purposes.
We aim to only process personal data necessary to achieve their processing purpose. By doing so, we minimize the possible impact on data subjects.
We aim to maintain the accuracy of collected personal data.
Information regarding data subjects will be stored in the shortest way practically possible.
Integrity & Confidentiality
We aim to process data in a manner that ensures appropriate security of the collected personal data, including protection against unauthorized or unlawful processing and against accidental loss, destructions or damage, using appropriate technical or organizational measures.
These foundational principles are the basis for Cybersprint’s privacy ethics. If there is any doubt about the appropriate decision regarding data protection, Cybersprint’s Data Protection Officer is available to answer questions and help one to guide their decisions.
Cybersprint’s goal is to make the world more cyber-secure. Naturally, we strive towards a high level of security for our own systems and online presence. However, it can occur that Cybersprint’s systems contain a weak spot.
If you have found a potential security vulnerability in one of Cybersprint’s systems or domains, that’s actually something we value, and would like to thank you for bringing it to our attention. That’s why we have set up our responsible disclosure process as described below. Thanks to your finding, we can co-operate with you to take the necessary measures and mitigate vulnerabilities.
We kindly ask you to:
• Email your finding to soc [at] cybersprint.com as quick as possible, including every step to identify and reproduce the vulnerability;
• Provide us with full details of the security issue, including the IP address or the URL of the affected system or domain, and if possible a Proof of Concept;
• Leave your contact details so we can contact you to co-operate towards a safe result. This could be your name and an email address or a telephone number;
• Not disclose the vulnerability with others without our permission/approval.
• Handle knowledge on the vulnerability with care. Please do not perform any acts other than those necessary to reveal the vulnerability to us.
For the security of our systems, and to secure the service we provide to our customers, we ask you to please take note of the following:
• Do not cause damage and create unnecessary security risks;
• Do not install, copy, change or delete anything on a system;
• Do not use ’brute force’ to access a system;
• Do not use social engineering to gain access to a system;
• Do not publish any sensitive data including customer and/or infrastructure data found in your research;
• Do not disrupt online services;
• Do not install a backdoor in the system, not even for the purpose of showing the vulnerability. Inserting a backdoor will cause even more damage to our systems;
• Do not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, do not share this gained access with others;
• Do not make any changes to or delete data from the system. If your finding requires you to copy the data from the system, do not copy more data than necessary. If one record will suffice, do not copy any more.
What to report
Examples of vulnerabilities could be:
• Authentication bypass, unauthorized data access;
• Remote code execution;
• SQL injection;
• Cross Site scripting (XSS);
• Cross Site Request Forgery (CSRF).
The following cases are excluded from this responsible disclosure programme. Please do not report:
• Our policies on presence or absence of SPF/DKIM/DMARC records;
• Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only on pages behind logon);
• Redirection from HTTP to HTTPS;
• HTML does not specify charset;
• HTML uses unrecognized charset;
• Cookie without HTTpOnly flag set;
• Absence of using HTTP Strict Transport Security (HSTS);
• Clickjacking or the non-existence of X-Frame-Options on non-logon pages;
• Server or third-party application version revealed and possibly outdated without Proof of Concept on the exploitation;
• Reports of unsecured SSL/TLS ciphers and other misconfigurations;
• Generic vulnerabilities related to software or protocols not under control of Cybersprint;
• Distributed Denial of Service Attacks;
• Spam or Social Engineering techniques;
• Reports of regular scans like Port scanners.
What you can expect from us
• First of all, we will handle all reports confidentially and will not share your personal details with third parties without your permission - unless this is mandatory by judicial decision.
• We will respond to your report within three working days with an assessment of the report and an expected date for a resolution.
• We will resolve the observed security issue as quickly as possible and keep you up-to-date.
• We will determine in (mutual consultation) whether and in what way the issue will be published after it has been resolved.
• We will offer a reward based on:
o If you are the first reporter;
o The severity of the vulnerability;
o The possibility of exploitation.
• We reserve the right to consider the vulnerability as an accepted risk and not resolve it.
We will only use your personal information to get in contact with you and to undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission, unless we are required to do so by law, or if an external organization takes over the investigation of your reported vulnerability.
This is not an invitation to actively start scanning or hack us. If you happen to find something (by accident), we would like to know as soon as possible on soc [at] cybersprint.com.
You may use our PGP key to encrypt sensitive information that you send by email.