At Focus Digital Agency, the security of our data and systems is important to us. Despite our care for the security of our systems, vulnerabilities and weak spots can still occur.

If you have found a vulnerability in one of our systems, we would like to hear about it so that we can take action as soon as possible. We would like to work with you to better protect our users and our systems.

Our responsible disclosure policy is not an invitation to actively scan our network to discover vulnerabilities. We monitor our network and as a result, there is a high probability that a scan will be picked up and blocked in cases where we deem necessary.

There is a chance that your finding may involve actions that are not permitted by law. If you have complied with the conditions below during you discovery, we will not take any legal action against you regarding the report. The Public Prosecutor’s Office always retains the right to decide whether you will be criminally prosecuted.

What we ask of you:

  • Email your findings as soon as possible to hello@focusdigital.nl.
  • Not to exploit the vulnerability by, for example, downloading more data than necessary to demonstrate the leak or by changing or deleting data.
  • Not to share the vulnerability with others until we have indicated that the vulnerability has been fixed and may be shared.
  • Not use attacks on physical security or third-party applications, social engineering, distributed denial-of-service, or spam.
  • Provide sufficient information to reproduce the vulnerability so we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability and the actions taken is sufficient, but more may be required for more complex vulnerabilities.

What we promise:

  • We will respond to your report within 3 working days with our assessment of the report and an expected date for resolution.
  • We will treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to fulfil a legal obligation.
  • We will keep you informed of the progress of resolving the vulnerability.
  • Anonymous or pseudonymous reporting is possible. It is good for you to know that this does mean that we cannot contact you about, for example, the next steps, progress of plugging the leak, publication or the possible reward for the report.
  • In reporting the reported vulnerability we will, if you wish, mention your name as the discoverer of the vulnerability.
  • We may give you a reward for your finding. However, we are under no obligation to do so. Thus, you are not automatically entitled to compensation. The form of this reward is not fixed in advance and will be determined by us on a case-by-case basis. Whether we give a reward and form of the reward depends on the diligence of your finding, the quality of the report and severity of the vulnerability.
  • We strive to resolve all issues as quickly as possible, keep all parties involved informed, and we are happy to be involved in any publication about the vulnerability after it is resolved.