Responsible disclosure
The COIN association takes the security of our platforms and services very seriously. Our members and customers must be able to rely on COIN to handle information with due care. To this end, we have taken the necessary technical and organizational security measures, which are periodically evaluated. Despite our concern for the security of our platforms and services, it is possible that weaknesses exist.
If you find such a weakness in one of our platforms or services, please let us know as soon as possible so that we can take measures.
Step-by-step plan for reporting security issues / vulnerabilities
1. Report security leaks or vulnerabilities to security at coin.nl. We request that you encrypt your findings with our PGP key (Fingerprint=7C1E78A7BCC41BCD8D9351D41CFEA82D54B28422) if it contains data of a sensitive or confidential nature. This is to prevent the information from falling into the wrong hands.
2. Include as much relevant information as possible in your report (screenshots, IP addresses, which steps led to the error or issue?).
3. In your report, please include your e-mail address, telephone number or other contact details on the basis of which we can contact you. You are free to make an anonymous report if you do not wish to be identified.
4. We ask you:
· Provide enough information to reproduce the problem, so that we can solve the problem as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
· Not to abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak or to view, delete or modify third-party data.
· Do not share the problem with others until it is resolved and delete all confidential data obtained through the leak immediately after the leak is closed.
· Not to use physical security attacks, social engineering, (distributed) denial of service, spam or third-party applications.
5. As soon as we have received a report, we will start an investigation as soon as possible. We may also contact you for this. If you wish to communicate with us anonymously, you can use a temporary and/or anonymous email address. If desired, we can also work with an intermediary or confidential adviser. Your report and any data will not be shared by us with third parties and will only be used to communicate about this finding.
6. We will treat your report confidentially and will not share your personal information with third parties without your consent, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is also possible.
7. We will keep you informed of the progress of solving the problem.
We are very grateful to everyone who helps us make our systems and platforms more secure for their help and will also report this (if desired). Of course, the above steps must be followed.