RGF Staffing Belgium NV - Responsible Vulnerability Disclosure Policy
Definitions
- “We” or “Us” : RGF Staffing Belgium NV having its registered office in Antwerp, Frankrijklei 101, RPR Antwerpen, with enterprise number 0461.127.904 and all Belgian with RGF Staffing Belgium Associated Enterprises.
- Associated Enterprises : the companies affiliated directly and indirectly with RGF Staffing Belgium, within the meaning of Article 1:20 of the Companies and Associations Code.
- “You” : every user of this Policy
- Security Researchers : individuals or organizations who, in good faith and through ethical means, engage in the identification, analysis, and reporting of potential security vulnerabilities in systems, applications, or networks. These researchers operate with the intent to enhance the overall security and integrity of digital infrastructure by responsibly disclosing discovered vulnerabilities to the appropriate parties for remediation, while adhering to applicable laws and best practices in responsible disclosure.
- Policy : this Responsible Vulnerability Disclosure Policy
This Policy is intended for Security Researchers who wish to report potential security vulnerabilities to the RGF Staffing Belgium security team.
This Policy is NOT intended for users (HR Candidates or HR Customers) who have security-related questions or who are experiencing issues with their password or account.
For HR Candidates:
If You are a candidate with a security-related question or experiencing issues with your password or account, please reach out directly to the office where You are registered. Contact details can be found on the websites of our Aassociated Enterprises/Associated brands
For HR Customers:
If You are a customer with concerns about security or need assistance with your password or account, please use the designated support channels provided with your product or service.
Scope
This Policy covers all RGF Staffing Belgium services, products or web properties.
Please note! Most reports We receive have little or no security impact or are already known. To avoid a disappointing experience when contacting Us, please take a moment and consider if the issue You want to report actually has a realistic attack scenario.
More specifically, We ask You to NOT submit issues regarding:
- All XSS cache poisoning / X-Forwarded-Prefix+ & Stored Cross-Site Scripting.
- Anything related to email spoofing, SPF, DMARC or DKIM.
- API key disclosure without proven business impact.
- Arbitrary file upload without proof of the existence of the uploaded file.
- Banner grabbing/Version disclosure.
- Best practices violations (password complexity, expiration, re-use, etc.).
- Blind SSRF without proven business impact (pingbacks are not sufficient).
- Bypassing rate-limits or the non-existence of rate-limits.
- Clickjacking.
- Content injection without being able to modify the HTML.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- CORS misconfiguration on non-sensitive endpoints.
- Cross-Site Request Forgery (CSRF).
- CSV Injection.
- CSV/formula injection.
- Denial of Service.
- Disclosed/misconfigured Google Maps API keys.
- Email bombing.
- Expired SSL certificates, weak SSL Ciphers, or issues regarding old TLS/SSL versions.
- Findings from automated tools without providing a Proof of Concept.
- Flash based exploits.
- Google Maps API key disclosure.
- Homograph attacks
- Host header injection, unless You have confirmed that it can be exploited in a practical attack.
- HTTP Request smuggling without any proven impact.
- Missing cookie flags.
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Missing or weak security-related HTTP headers.
- Missing security headers.
- Non-Sensitive Data Disclosure, for example server version banners.
- Not stripping metadata of files.
- Pre-Auth Account takeover/OAuth squatting.
- Presence of autocomplete attribute on web forms.
- Previously known vulnerable software or libraries without a working
- Proof of Concept.
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Reverse tabnabbing.
- Same-site scripting.
- Self-XSS that cannot be used to exploit other users.
- Sessions not being invalidated (logout, enabling 2FA, etc.).
- Subdomain takeover without taking over the subdomain.
- Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability.
- Tokens leaked to third parties.
- Username/email enumeration.
- Verbose messages/files/directory listings without disclosing any sensitive information.
- Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or
- jailbroken smartphones.
- Wordpress usernames disclosure.
- XMLRPC enabled.
When duplicates occur, We will only accept the first report. A duplicate is a vulnerability that We are already aware of, regardless of how We first became aware of it (it could have also been discovered by Us internally).
Our Commitments
When You collaborate with Us under this Policy, You can expect the following from Us:
- Safe Harbor: We will extend Safe Harbor protections for any vulnerability research conducted in accordance with this Policy.
- Prompt Communication: We will work closely with You to understand and validate your report, providing an initial response within 12 business hours of submission.
- Timely Remediation: We will take prompt action to address and resolve any verified vulnerabilities.
Safe Harbor
We recognize vulnerability research conducted under this Policy as authorized, lawful, and beneficial to the overall security of the Internet, provided it is done in good faith. You are expected to comply with all applicable laws throughout your research.
If You have any concerns or are unsure whether your research aligns with this Policy, We encourage You to submit a report through our official channel (see below) before proceeding further.
Guidelines
To promote responsible vulnerability research and distinguish good-faith efforts from malicious activities, We ask that You:
- Play by the rules. This includes following this Policy, as well as any other relevant terms or agreements. If there is any inconsistency between this Policy and any other relevant terms, the terms of this policy will prevail.
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
- Only interact with accounts or devices You own or with explicit permission from the owner.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- If a vulnerability provides unintended access to data, limit the amount of data You access to the minimum required for effectively demonstrating a Proof of Concept.
- Cease testing and submit a report immediately if You encounter any user data during testing, such as personal data and sensitive personal data, credit card data, or proprietary information.
- Do not attempt to execute Denial of Service attacks.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Report any vulnerability You’ve discovered promptly.
- Do not engage in extortion by demanding a reward before disclosing vulnerability details.
- Use only the official channels to discuss vulnerability information with Us.
- Don't perform DoS/DDoS attacks or brute force attacks.
- Don't use Auto Scanners.
Disclosure
You are not allowed to publicly discuss or publish any vulnerability before it has been fixed and You have received explicit permission from Us to do so.
How to Contact Us
RGF Staffing Belgium Responsible Disclosure Program is available on the Intigriti platform: https://app.intigriti.com/company/programs/rgfstaffing/rgfbe-vdp/detail
Rewards
We do not offer monetary rewards for Responsible Disclosure reports, but if You report via our RGF Staffing Responsible Disclosure program on Intigriti, for all valid Medium+ reports We provide tokens of appreciation as a gesture of gratitude.
The only monetary reward exceptions are the specific assets listed in our Registered Bug Bounty Program on Intigriti. Please note that for the Registered Bug Bounty Program, We will only accept reports for those assets that are listed into the program scope and no other variations.
For all other assets, regardless of the reporting method, We recognize Security Researchers who submit previously unknown vulnerabilities that result in a code or configuration change by offering a place in our Security Hall of Fame (HoF).
Quick links:
RGF Staffing Belgium Responsible Disclosure program (Intigriti)
RGF Staffing Belgium Registered Bug Bounty Program (Intigriti)