Wishlist

By clicking on the heart at products, add them to the wishlist.

Security vulnerability disclosure

We do everything possible to keep our systems secure. If you do encounter a security issue in our systems, please report this to us so that we can fix it immediately. We call this “vulnerability disclosure” (also referred to as “coordinated vulnerability disclosure” and “responsible disclosure”).

How to disclose a vulnerability

  • Report the issue to security@anthura.nl. If this is not possible, call us on +31 10 529 19 19.
  • Please provide as much information as possible to help us reproduce and resolve the issue. This includes a detailed description with IP addresses, logs, screenshots etc.
  • Also provide your contact details such as a phone number or email address so that we can contact you if we require more information.

What to do next

  • Do not tell anyone about it.
  • Destroy the data you have obtained.
  • Do no more than is necessary to demonstrate the issue.
  • Do not take advantage of the vulnerability; otherwise, we will notify the relevant authorities.

You do not have to disclose the following

  • Resource depletion/DoS or DDoS attack.
  • Situations that cannot be reproduced.
  • Exploits not validated with a second method/tool A reports “vulnerability”, while tool B reports “no issue”.
  • Cosmetic issues such as poor website display in browser A. (You can report these issues to communicatie@anthura.nl.)
  • User-related issues such as the workstation being left unattended, click or key combinations.
  • Simple lists and version numbers of OS, services and ports.
  • Public files that should be publicly available.
  • Missing HTTP-only flag on cookies that do not contain sensitive information.
  • TLS misconfiguration without proof of concept that this vulnerability can be exploited.
  • Incomplete or missing SPF, DKIM or DMARC records.
  • Services running at third parties (consult their own responsible disclosure page beforehand).
  • Email addresses found in a third-party data breach.
  • Vulnerabilities for which patches have been released in the last 2 weeks.
  • URL redirects (to a valid page).
  • Local content spoofing/clickjacking.
  • Publicly registered IP addresses.
  • Public files and information leaks in metadata.
  • Missing security headers, options and flags.
  • Outdated versions with no evidence of exploitation.

    How we process your disclosure

    • Within 1 business day, we will send you an email to confirm receipt of your message.
    • Within 5 business days, we will send you an email with a detailed response and an expected resolution date. We will resolve the issue as soon as possible, at the latest within 3 months.
    • We will keep you informed of progress.
    • We will decide whether to disclose the issue after consulting with you. We will not mention your name without your consent.

    Security.txt

    With the publication of RFC 9116 earlier this year, a standardised format is now available for organisations to publish their 'vulnerability disclosure' policies and contacts. To this end, a human- and computer-readable text format (security.txt) has been devised and is now published on websites. You can find our security.txt file at: https://www.anthura.nl/.well-known/security.txt.