- NL
- EN
Digital vulnerability reporting centre
At a.s.r., we consider the security of our systems to be very important. Despite our care for the security of our systems, it can happen that there is still a weak spot. If you notice a weak spot in one of our systems, please let us know immediately. Then we can take measures as soon as possible.
In this way, together we can improve the security and reliability of our systems. Report a possible weak spot via our central reporting centre safe internet desk. This reporting centre is not an invitation to actively discover weak spots. a.s.r. actively monitors its own company network for security incidents.
The Computer Emergency Response Team (CERT) is a specialised team of ICT professionals that is able to act quickly in the event of security incidents and the prevention of security incidents.
-
Why we are working on our digital resilience Show Almost every day, we improve the quality and security of our online service so that our customer and company data are protected against misuse. We also ensure as a result that the security and availability of our service are guaranteed. Despite all our care and efforts, situations may arise in which there is a weak spot in our security.
-
You can do the following Show If you do find any vulnerabilities, please report these. We would like to hear from you as soon as possible. Examples of vulnerabilities you may report are:
- Cross-Site Scripting (XSS) vulnerabilities
- SQL injection vulnerabilities
- Weaknesses in design secured connection
- Remote Code execution
- Cross Site Request Forgery (CSRF) vulnerabilities
- Vulnerabilities related to encryption
- Unauthorised access to data.
When investigating the vulnerability found, make sure you preserve the softwareand do not make any changes. After all, changes may result inerrors and as a result damage to our services.Under no circumstances may your investigation:
- result in interruption of our services
- result in the situation in which a.s.r. data is made public without permission.
-
Who may report? Show Anyone who discovers a possible weakness in a.s.r.'s online services and/or underlying information systems may report.
-
How to report Show If you have found a vulnerability, please contact our central reporting centre safe internet desk as soon as possible. Encrypt your findings with our PGP key (fingerprint) to prevent the information from falling into the wrong hands.
We ensure that you will receive a response within the timelines of our procedures. A condition is that you use a valid and working email address when entering the report. For each vulnerability, one report is accepted (the first reporter).Describe the problem found in as concrete and specific a manner as possible:
- the steps you have taken
- the full URL and/or IP address
- what possible objects are involved (for example, which input fields or filters)
- the risk, the consequences and/or the possibility of execution
We can only process reports that are submitted in Dutch and English. The provision of a solution is encouraged.
-
What do we do with your report? Show A team of (security) experts will investigate your report and contact you as soon as possible. We will try to do this within five working days.
Please do not make the problem public, but give us time to resolve the problem. We will let you know what we think of your report, if and what solution we are going to apply and when we will do this. We also ask you not to share the problem with others and to immediately remove all possible data obtained from the found vulnerability. -
You find a vulnerability and then what? Show It is not possible to rule out legal action against persons reporting in advance. We consider ourselves morally obliged to file a report when we suspect that the weak spot or vulnerability is being abused, or that you have shared knowledge about the weak spot with others. Therefore, please follow the rules as set out below and do not act in a disproportionate manner:
- Do not use physical protection, social engineering, (distributed) denial of service, malware and/or spam attacks.
- Do not take advantage of the vulnerability. Do not copy, modify or delete any data from the system. Also, you may not download (store), change, add, delete and/or publish any data without permission from a.s.r.
- Do not (actively) scan our infrastructure to discover weak spots. We monitor our company network ourselves. There is a good chance that a scan will be picked up by a.s.r. and that our CERT will investigate the origin of this scan and unnecessary costs may be incurred.
- Do not make any system changes, such as, for example, placing backdoors in order to subsequently as a result demonstrate the vulnerability. By making changes, you can cause additional damage and/or create unnecessary security risks.
- Do not attempt to access the system repeatedly or share the access obtained with others.
- Do not use so-called ‘brute force’ in order to access systems. After all, that is not a matter of vulnerability, but of repeatedly trying to log in and/or guess passwords.
-
What not to report Show The digital vulnerability reporting centre is not meant for:
- Submitting questions or complaints about a.s.r.’s services and/or website(s). Please use our complaint form or contact us.
- Making fraud reports and/or suspicions of fraud. Is there (suspected) fraud? Report this immediately to the security matters department.
- Reporting fake (phishing) emails or viruses. Did you receive an e-mail that you don't trust? Create a new e-mail with this untrusted message as an attachment and sent it to valse-email@asr.nl.
- Reporting a possible data breach. Do you suspect that there is a (possible) data breach? You can report this to us by sending an e-mail to the Reporting centre incidents and data breaches.
-
Your privacy Show We ask you to provide us with contact details for the course of the procedure (unless you have made a report anonymously). We will not disclose your identity to third parties without your consent and will not use your data for purposes other than to provide an appropriate follow-up to your report. An exception occurs when competent authorities request information from us. This will be complied with without your prior consent.