Disclosure PolicyHall of Fame

Responsible Disclosure Policy

At PriServices B.V., the security and privacy of our systems are of the highest priority. Despite our efforts to protect our services, vulnerabilities may still exist. If you identify one, we welcome your assistance in disclosing it responsibly and helping us mitigate the issue as quickly as possible to protect both our customers and systems.

Scope

Assets (In-Scope):

  • Domain: *.priservices.eu/*
  • Domain: *.pripost.eu/*
  • Domain: *.prioffice.eu/*
  • Domain: *.priparcel.eu/*
  • Domain: *.pritelecom.eu/*

Important Note: The production environment priportal.eu is out of scope for testing. Only the test environment at https://test.priportal.eu/* is in scope for security research.

Important Information Regarding the PriPortal Test Domain:

The https://test.priportal.eu/ domain has been specifically created for security researchers and is an up-to-date replica of the production environment. Researchers are encouraged to create their own accounts and conduct tests within the scope of their own data. Emails sent by the test portal are accessible at https://test.priportal.eu/mails/#/. Please note that this mailbox contains emails from researchers worldwide and may contain sensitive information. Handle this information responsibly and avoid disclosing or misusing it during testing.

Out-of-Scope Vulnerabilities:

  • Clickjacking on pages with no sensitive actions
  • Non-state-changing CSRF (unauthenticated/logout/login)
  • Attacks requiring MITM or physical access to a user’s device
  • Social engineering-based attacks
  • Denial of Service (DoS) or actions that disrupt services
  • Content spoofing or text injection without significant security impact
  • Prototype Pollution without a valid security impact
  • Missing email or DNS security settings (e.g., DKIM, SPF, DMARC, CAA, DNSSEC)
  • Minor security header misconfigurations (e.g., HSTS, CSP)
  • Lack of HTTP only flag on non-sensitive cookies
  • Broken links or other non-security related website issues
  • User enumeration or directory listings on purpose-built admin panels
  • Password Reset link or Session Remains valid after Password Reset (Known Issue)

Testing Guidelines:

  • Researchers can create and use their own accounts for testing purposes.
  • Avoid running automated scanners unless you notify our security team first.
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue (e.g., refrain from modifying, deleting, or accessing unnecessary data).
  • Do not disrupt services, and ensure testing does not degrade performance or availability.
  • Focus on testing your own account and data. Avoid accessing or modifying other users' data without permission.

Reporting Guidelines:

  • Always, submit vulnerabilities through our online form.
  • For updates, contact us at security@priservices.eu.
  • Provide sufficient details to help us reproduce the issue (e.g., description, proof of concept, and steps to reproduce).
  • Our decisions on the scope, severity, and validation of issues are final.

Disclosure Guidelines:

  • Do not publicly disclose vulnerabilities until we have confirmed and resolved the issue.
  • If you wish to publish a report, share your research with us at least 30 days before publication, ensuring it excludes any sensitive information about our customers, employees, or third parties.
  • Failure to comply with our publication guidelines may result in the revocation of any testing permissions.

Rewards:

This is a Vulnerability Disclosure Program, not a Bug Bounty Program. While we do not offer monetary rewards for all submissions, we may provide discretionary rewards for critical findings, such as those involving remote code execution.

What We Promise:

  • We will acknowledge your report within 7 business days, providing an initial evaluation and estimated timeline for resolution.
  • If you adhere to the guidelines, we will not pursue legal action.
  • Your report will be treated confidentially, and we will credit you for the discovery unless you request anonymity.
  • We will keep you informed of our progress in addressing the issue.

We appreciate your support in improving the security of PriServices B.V. and ensuring the safety of our customers.