Skip to main content
NL EN
NL EN

Reporting Vulnerability

Have you discovered a vulnerability in our systems? We’d love to hear about it. Your help allows us to prevent abuse and improve the security of our services.

More tips on online security

Secure internet
Prevent phishing
Secure login

Good to know

Have you received a fake email, SMS, or letter (phishing)? Know how to recognise and report them:

Fake email (phishing)

How to report a vulnerability?

Rewards for reporting via HackerOne

Anyone can report a vulnerability, even if you're not a customer. Use our form on HackerOne to do so:

Report a vulnerability via HackerOne

We offer appropriate rewards through HackerOne if your report helps us fix vulnerabilities. Our reward structure is listed on the HackerOne page. Athora decides whether you qualify for a reward and the amount. No reward will be given if:

  • Someone else has already reported the same (or a similar) vulnerability.
  • The vulnerability is already known to us.
  • There is abuse or violation of the rules.

Anonymous reporting

You can also report a vulnerability anonymously (in Dutch or English) by emailing us at:

ResponsibleDisclosure@athora.nl

Include sufficient information in your email to allows us to reproduce and verify the vulnerability, such as a specific URL, a step-by-step plan or a proof of concept. Please note that we will not be able to give you a reward if you report anonymously.

Rules

Athora Netherlands greatly appreciates your report, but we also believe it is important that all our customers can continue to use our online services safely and without disruption. Therefore, please follow the rules below, act in good faith, and avoid disproportionate actions.

  • Which vulnerabilities can you report?

    Which vulnerabilities can you report?

    You can report issues related to our online services, such as:

    • Cross-Site scripting (XSS)
    • SQL-injection
    • Cross Site Request Forgery (CSRF)
    • Remote Code Execution
    • Unauthorised access to data
  • Do not abuse

    Do not abuse

    • Only use discovered vulnerabilities for your own research and report and for no other purpose.
    • Make minimal use of vulnerabilities. Do only what is necessary to determine the vulnerability.
    • Do not share vulnerabilities with any other party than Zwitserleven.
    • Communicate with our experts and give us time to resolve the issue.
    • Do not implement backdoors or introduce new vulnerabilities.
  • Social, physical and brute force testing are not allowed

    Social, physical and brute force testing are not allowed

    • All forms of Denial of Service (DoS), bruteforcing and enumeration are not allowed.
    • Social engineering (e.g., phishing, vishing, smishing) is not permitted.
    • Do not launch attacks on our physical security.
  • Do not disturb other users or compromise their data

    Do not disturb other users or compromise their data

    • Use only your own accounts and contact details, or those for which you have explicit, verifiable permission.
    • Avoid privacy violations and data destruction.
    • Be cautious when retrieving or copying data. Only access what is necessary to demonstrate the vulnerability.
    • Never share customer or company data with others.
    • Do not perform actions that other users might notice. For example, don't post tests on a public forum, in the comments on a public page, via a DM to another user, etc.
    • Secure your own systems that contain information about the vulnerability or test data.
  • Do not cause damage

    Do not cause damage or disrupt our services while investigating a vulnerability

    • Never interrupt our services.
    • Use a maximum of 1 concurrent connection or thread during testing.
    • Do not make any changes to our systems.
    • Do not alter or delete data from our systems.

Have you accidentally violated any of these rules? For example, by causing a publication, a disruption, or other damage, please contact us immediately: 

ResponsibleDisclosure@athora.nl

What we do with your report

Our security experts will investigate your report. We aim to send an initial substantive response within three working days.

Your privacy

We do not share your data with others, nor do we use it for any other purposes, unless we are legally obliged to do so, for example in response to a request from the judicial authorities.