Digital vulnerability reporting centre

At a.s.r., the digital security of our customers is very important to us. Despite our care for the security of our systems, there may still be a vulnerability.

This reporting desk is not an invitation to actively discover vulnerabilities. a.s.r. actively monitors its own corporate network for security incidents itself. Please tell us if you have found a vulnerability in any of our systems, so that we can take action as soon as possible.

In that case, we hereby request you to:

Email the findings to the digital vulnerabilities reporting desk. Encrypt your findings with our PGP key to prevent the information falling into the wrong hands.
Provide sufficient information to reproduce the problem so that we can fix it as soon as possible. Usually, stating the IP address or URL and the parameters used of the affected system and a description of the vulnerability is sufficient, but more may be needed in case of more complex vulnerabilities.
Abstain from exploiting the problem by, for example, downloading more data than necessary to demonstrate the leak or viewing, deleting or modifying third-party data.
Not to share the problem with others until it is fixed and delete all confidential data obtained through the leak immediately after the leak has been stopped.
Not to use physical security attacks, social engineering, distributed denial of service, spam or third-party applications.

What we promise:

We will respond to your report with our assessment of the report and an expected date for its resolution.
We will treat your report confidentially and will not share your personal data with third parties without your consent unless necessary to comply with a statutory obligation. Reporting under a pseudonym is possible.
We will keep you updated on the progress of resolving the issue, unless the finding has been reported before. In that case we will inform you that this is the case.
To thank you for your help, we offer a token of appreciation for any report of a security problem we were not aware of. This token of appreciation will be determined based on the severity of the leak and the quality of the report.
If you comply with the above conditions, we will not take any legal action against you regarding the report.

We aim to resolve all issues as soon as possible and we are happy to be involved in any publication about the problem after the reported issue has been resolved.

Privacy

For more information on personal data processing and privacy, we refer to our privacy statement.

What not to report:

The reporting desk is not intended for:

Submitting questions or complaints about a.s.r.’s services and/or website(s). Please use our complaint form or contact us for this purpose.
Making fraud reports and/or suspicions of fraud. Is (suspected) fraud involved? Please report this immediately to the security affairs department.
Reporting potential data leaks. Do you suspect a (possible) data leak? You can report this to us by sending an e-mail to the Data leak security incidents reporting desk.