Responsible Disclosure Policy

Last Updated: December 6, 2025

Principles

At Mijndokters Technologies, the security of our systems and data is a top priority.
Despite our best efforts, vulnerabilities may still exist. We appreciate your help in identifying and responsibly reporting any security issues so we can address them quickly and safely.

We commit to treating every report with respect, confidentiality, and fairness.

Security scope
Our internal security responsibilities cover all systems and services operated by Mijndokters Technologies. Not all of these systems are in scope for public testing or rewards.

In-scope for public testing and rewards
Our responsible disclosure / reward program focuses on:

  • Public, customer-facing production systems operated by Mijndokters Technologies

  • Systems under domains we control that process or expose customer or patient data

Out of scope for public testing and rewards
The following are not eligible for testing or rewards under this policy and are protected through our internal security processes instead:

  • Development, test, and staging environments

  • Internal CI/CD and build systems (e.g. Drone, build pipelines)

  • Third-party systems not owned or managed by us (e.g., hosting providers, analytics tools, payment processors)

  • Denial-of-service (DoS/DDoS) testing, load testing, or brute-force attacks

  • Social engineering (e.g., phishing employees, support desk manipulation)

  • Physical attacks against our offices, data centers, or equipment

If you are unsure whether a target is in scope, please contact us before conducting tests.

If you discover a vulnerability

Please follow these guidelines:

  • Report it by emailing security@mijndokters.com.

  • Encrypt your message using our PGP key
    (PGP fingerprint: 14D6 A69E 0DE5 1576 FF52 A236 0691 9A17 13B0 D539).

  • Do not exploit the vulnerability (for example, do not download, modify, or delete data).

  • Do not share information about the vulnerability with others until we confirm it has been resolved.

  • Avoid attacks involving physical intrusion, social engineering, denial of service, spam, or testing of third-party systems.

  • Provide sufficient details so we can reproduce and verify the issue — such as affected URL, parameters, IP address, impact, and clear step-by-step description.

What you can expect from us

  • Acknowledgment: We will confirm receipt of your report within 3 business days.

  • Assessment: You will receive an initial evaluation and an estimated resolution timeline.

  • Confidentiality: We will treat your report and your personal data confidentially.

  • No legal action: If you act in good faith and comply with this policy, we will not pursue legal action.

  • Transparency: We will keep you informed of our investigation and the final resolution.

  • Credit: With your consent, we will publicly recognize you as the discoverer once the issue has been resolved.

Rewards

As a token of appreciation, we offer a reward for valid, previously unknown vulnerabilities:

  • Minimum reward: € 50 (gift certificate)

  • Reward value depends on severity, impact, and report quality

  • Duplicate or low-impact findings may not qualify for a reward

  • Rewards are granted at the discretion of Mijndokters Technologies

Disclosure and Resolution Timeline

We aim to resolve validated vulnerabilities within 90 days of confirmation.
If resolution requires more time, we will keep you updated.
After resolution, we encourage coordinated publication together with us, ensuring accurate and safe communication of the issue