RESPONSIBLE DISCLOSURE

Policy statement:
Because we always want to improve the performance and security of the Cegeka network and the information systems as much as possible, we have implemented this responsible disclosure policy. 
This for the identification of potential vulnerabilities within scope of laws and regulations of Cegeka IT Systems.  
This policy covers the reporting of security vulnerabilities that could be exploited by third parties or interfere with the proper functioning of Cegeka products, services, network or information systems. 
In this policy, Cegeka means Cegeka NV and any of its affiliates.

The following IT systems, services, equipment and products are subject to this policy:

https://www.cegeka.com

Additionally, IT systems that rely on third parties are outside the scope of this policy, except if those third parties expressly agree to this policy in advance or the participant complies with the applicable policies of these third parties. 
The participant's investigation in relation to IT systems, services, equipment or products not expressly covered by this policy may result in liability for such participant and/or prosecution under applicable law. 
Nothing in this policy shall limit Cegeka in the right to seek emergency, interim or injunctive relief in any applicable competent court and the participant shall indemnify Cegeka for all claims, losses, costs, penalties, fines and all damage in the broadest sense arising from, as a result of, or in connection with any breach of this policy.
This policy is construed in accordance with articles 62/1 and 62/2 of the Law of April 7, 2019, establishing a framework for the security of network and information systems of general interest for the public safety.

*If questions arise in regards scoping, please contact responsibledisclosure@cegeka.com* 

Mutual obligations of the parties:
Proportionality
The participant undertakes to be proportionate in all their activities under this policy. 
The participant will not disrupt the availability of the services provided by the IT systems and not exploit the vulnerability beyond what is strictly necessary to demonstrate the security problem. 
If the problem has been demonstrated on a small scale, no further action shall be taken by the participant.
This policy does not allow the participant in any way to intentionally intercept, observe, inspect, read, record, store, or otherwise Process the content of Cegeka information technology, communication or Personal data. 

The participant is not allowed to carry out the following actions: 
1)	Copying or changing data from the IT system or deleting data from that system
2)	Changing the parameters of the IT system
3)	Installing any malware (i.e.: viruses, worms, Trojan horses, etc) or similar software that disables functionalities of the Cegeka systems.
4)	Carrying out any "denial of service" attacks (Distributed Denial Of Service - DDOS)
5)	Carrying out any "social engineering" attacks
6)	Carrying out any phishing attacks
7)	Carrying out any junk mail attacks (spamming)
8) 	carrying out any password theft or "brute force" attacks 
9)	Use any other destructive method when searching for vulnerabilities
10)	Install a device that allows to take notice, the interception or the storage of non-publicly available communications or electronic communications 
11)	Intentionally take notice, intercept or store non-publicly available communications or electronic communications
12)	Intentionally using, storing, communicating or distributing the content of communications not available to the public or data from an IT system that the participant should have reasonably known was obtained illegally.
13)	Keep continuing with his actions when requested to stop by Cegeka
14)	Make the actions longer than strictly necessary for the needed purposes
15)	Make the scope broader than strictly necessary for the needed purposes

If the participant is assisted by a third party to carry out its research, it must ensure that the third party has prior knowledge of this policy and agrees to comply with the terms of the policy when providing assistance to the participant.
Monitoring
The participant shall monitor the Cegeka systems during any test, to detect and respond to incidents in an early stage. 
When an incident arises which has a negative impact on the availability and integrity of the systems or applications that are being tested, including the supporting infrastructure, such as slower response time, increasing CPU load, disruption of applications or services, potential modifications or system crashes happens, the following procedure shall apply:
1)	If the participant suspects an Incident, all tests shall promptly be stopped, and the participant shall commence an Incident investigation. The participant (or its representative) shall contact Cegeka using the contact details as soon as reasonably possible;
2)	The participant will analyse the Incident characteristics by consolidating logs from the test equipment. Assessor shall also document its observations and findings in an Incident report, which is issued to Cegeka within 48 hours after the Incident. This report permits Cegeka to subsequently analyse and review the events in their timeline;
3)	The participant shall not disclose the content of these Incident reports to third parties, unless this is permitted by Cegeka

Confidentiality:
The participant is not allowed to share or disseminate to third parties any information collected under this policy, except when explicitly agreed upon in writing by Cegeka and, when relevant.
The participant is not allowed to communicate or distribute any IT, communication or Personal data to third parties.
If the vulnerability may reasonably affect other organisations in Belgium, the participant or Cegeka may nevertheless report it to the Centre for Cybersecurity Belgium (CCB)  (vulnerabilityreport@cert.be). 
In that case, the participant will provide Cegeka with a reasonable prior written notice in which it specifies its intentions.

Acting in good faith:
Cegeka undertakes to implement this policy in good faith and not to make legal claims against participants that comply with this policy.
The participant must have no fraudulent intent, intention to harm or desire to use or cause damage to the accessed IT system or its data. This also applies to third-party systems in Belgium or abroad.
In case of doubt about certain terms of this policy, the participant shall consult with the Cegeka contact person beforehand and obtain his written consent before acting.

Procedure:
Cegeka point of contact
The participant can use the following email address to contact Cegeka about a possible discovered vulnerability or to get more information about this policy. 

responsibledisclosure@cegeka.com

The participant may not share confidential or sensitive information in this mail. Cegeka will contact the participant and establish a secure way of communication if necessary. 
The parties undertake to make every effort to ensure continuous and effective communication with the purpose of identifying and resolving the identified and reported vulnerability. 
If, after a reasonable period of time, there is no response from either party, the parties may appeal to the CCB (vulnerabilityreport@cert.be) as (standard) coordinator.

Research and solution:
Cegeka will verify the provided information and inform the participant about the results of the investigation and/or the actions taken with regard to this information.
During this process, parties will take into account similar or related reports, assess the risk and severity of the identified vulnerability and identify any other affected products or systems.
The policy has the purpose of enabling the development of a solution in order to eliminate the vulnerability of the IT system before any (further) damage is done. 

Applicable law:
This policy is governed by and shall be interpreted in accordance with Belgian law. 
Any dispute with respect to the validity, interpretation or execution of this policy shall be finally settled by the competent courts of Brussels. 

Processing of personal Data:
1)	This policy does not aim to cover the intentional processing of Personal data. However, participants may, even accidentally, have access to process Personal data as part of their research into vulnerabilities. The participants must process such personal data in accordance with all applicable data protection legislation, in particular the GDPR.
2)	The participant may process personal data in a limited manner and continuously during their research activities in accordance with this policy. The participant may retain these data only for as long as necessary to fulfil the purpose of the research activities. 
3)	When processing such data, the participant undertakes to comply with the legal obligations regarding the protection of personal data and the terms of this policy, in particular: 
	a)	The participant processes personal data only for the purpose of detecting vulnerabilities in Cegeka systems, equipment or products (Cegeka instruction). Any processing of personal data for any other purpose is excluded, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the participant is subject; in such a case, the participant must inform Cegeka of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
	b)	The participant undertakes to limit the processing of personal data to what is necessary for vulnerability detection.
	c)	The participant must ensure that those authorised to process personal data have undertaken to maintain confidentiality or are bound by an appropriate statutory obligation of confidentiality.
	d)	The participant undertakes to respect the conditions set out in this policy.
	e)	The participant must take appropriate technical and organisational measures to ensure a risk-appropriate level of security (e.g. encryption) in accordance with article 32 of the GDPR.
	f)	The participant declares that it understands the risks associated with the implementation of this policy and that it has the necessary expertise and experience to test our organisation systems, equipment and products in a secure manner and in compliance with applicable laws and regulations.
	g)	The participant undertakes, to the extent possible and taking into account the nature of the processing and the information at its disposal, to assist Cegeka in carrying out its obligations regarding the exercise of data subjects rights, security of processing and any possible impact analysis.
	h)	The participant undertakes to inform Cegeka as soon as possible after becoming aware of any possible personal data breach by contacting privacy@cegeka.com.
	i)	The participant may not retain any personal data processed for longer than necessary. During this period, the participant must ensure that this data is maintained with a risk-appropriate security level (preferably encrypted). Upon termination of participation under this the policy, this data must be deleted immediately, unless the participant is required to retain it under applicable Union or national law.
4)	If the participant processes personal data stored and/or otherwise processed by Cegeka in a manner contrary to this policy or for purposes other than detecting potential vulnerabilities in Cegeka systems, products and equipment, the participant acknowledges that it will be considered as a data controller and will be fully liable for the processing carried out by it on that account. 

Duration:
The policy is applicable as from 01/02/2025 and will continue to be so until Cegeka announces a change.
Cegeka may amend or terminate the policy. 
Cegeka will announce any material changes to the policy by publishing these on the Cegeka website/in this policy. 
Unless otherwise explicitly stated by Cegeka, changes to the policy will be effective 30 days after their announcement.

Commercial security services:
Cegeka is currently not looking for new security services