Deloitte Legal B.V. (hereafter: Deloitte) values the overall (cyber) security of the Digital Health Compliance (hereafter: DHC) website and therefore, apart from taking all usual precautions and effort, adopted a Responsible Disclosure Policy (hereafter: RD policy). This policy allows people (hereafter: reporter) to report any vulnerabilities to Deloitte directly. In case the reporter wants to do this anonymously, this is possible.
No legal actions will be taken against the reporter if the RD policy is complied with. After initiation by the reporter, Deloitte will take the full and sole lead in the process. Publishing (any details about) the vulnerability, in this stadium, is prohibited. If the reporter chooses not to comply with these rules, Deloitte reserves the right to take any legal action(s).
How can a vulnerability be reported?
For reporting a vulnerability under the RD policy of Deloitte, the following rules apply:
- If the reporter identifies a vulnerability, we would like to know as soon as possible (even if the details aren’t complete yet);
- From the moment the vulnerability was found, the reporter can communicate with our team. Please do not communicate about it with anyone else, except for the official contact person from Deloitte;
- When reporting a vulnerability, we would like to receive as many details as possible. Preferably these details include:
- A description of the vulnerability or vulnerabilities, as well as the steps required for reproducing the vulnerability by Deloitte (including technical information and if applicable information about the software and hardware used by the reporter);
- A description about the extent to which personal and/or confidential data are or were involved in (finding) the vulnerability;
- A means by which Deloitte can get in contact with the reporter, to update the reporter on our follow-up of the reported vulnerabilities. Preferably, this is a telephone number or email address (including encryption details) (in case the reporter chooses to remain anonymous, we respect this as well);
- Additional information is appreciated, if this contributes to being able to going through the procedure better and/or quicker.
- The reporter should only have to report the (potential) vulnerability to us following the above steps for proving the (possible) information. We will take the lead in the next steps;
- Any damage or disruption of the (accessibility of) systems and/or people involved, as well as invasion of privacy in any form, should be prevented at all times. Potential vulnerabilities that are explicitly excluded from this policy are:
- Vulnerabilities obtained by manipulating persons (or any form of ‘social engineering’);
- Vulnerabilities found by means of “brute force” attacks;
- Vulnerabilities that are a consequence of “(D)DoS” attacks.
What does Deloitte do with a reported vulnerability?
For a non-anonymous participation in and full compliance with the RD policy by the reporter, Deloitte will initiate the following procedure:
- Deloitte receives the report and will respond officially within 2 working days.
- We will inform the reporter about the progress of processing the report;
- At the moment the vulnerability is resolved, Deloitte will inform the reporter. After we explicitly give the reporter permission, the (resolved) problem may, in consultation with us, be published;
- In case a vulnerability is of a real severe, persistent, or in any form disproportional nature, Deloitte may decide the vulnerability can and will not be published.
- Deloitte will handle any personal data given by the reporter strictly confidentially and will not share these with third parties, unless we are compelled to do so by local laws and regulations.
Frequently Asked Questions (FAQ)
Will I receive a reward for my effort?
Deloitte highly appreciates your effort by assisting us in optimizing our website. In case your reported vulnerabilities have been solved or led to a change in our services, the reporter will be eligible for a reward. For this, we need your personal details. In cases a reported reward vulnerability is reported by others as well, the reward will be granted to the first reporter.
Am I allowed to reveal the vulnerability to the public?
No, the reporter is not allowed to reveal a vulnerability to the public without consulting us first. By working together we can prevent criminals from abusing the newly detected vulnerability. Our security experts are keen to learn from the reporter and to solve the problem.