Scope

We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. In order to improve the performance and security of our networks and information systems, we have adopted a coordinated vulnerability disclosure policy. Our policy concerns security vulnerabilities that could be exploited by third parties or disrupt the proper functioning of our products, services, networks or information systems.

This policy gives participants the opportunity to search for potential vulnerabilities in our organisation's systems, equipment and products with good intentions or to pass on any information they discover about a vulnerability. However, access to our IT systems and equipment is only permitted with the intention of improving security, informing us of existing vulnerabilities and in strict compliance with the other conditions set out in this document. The participant is also permitted to introduce or attempt to introduce computer data into our computer system, subject to the purposes and conditions of this policy.

The Coordinated Vulnerability Disclosure Policy is limited to the Olympus Mobility Mobile Application and the portal website.

Principles

Proportionality

The ethical hackers undertake to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to make use of the vulnerability beyond what is strictly necessary to demonstrate the security flaw. Their approach must remain proportionate: if the safety problem has been demonstrated on a small scale, no further action should be taken.

The objective of this policy is to make clear that the ethical hacker’s primary motivation should be to find and demonstrate vulnerabilities rather than purposefully pursuing extraction of sensitive information or personal data, which includes computer data, communication data, and personal data. Any knowledge of sensitive data should occur incidentally, as an unintended consequence of legitimate vulnerability testing.

Actions that are not allowed

  • Reveal the problem without Olympus Mobility’s written permission;
  • Attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties;
  • Copying or altering data from the IT system or deleting data from that system;
  • Changing the IT system parameters;
  • Installing malware: viruses, worms, Trojan horses, backdoors, etc.;
  • (Distributed) Denial of Service attacks;
  • Social engineering attacks;
  • Phishing attacks;
  • Spamming;
  • Stealing passwords or brute force attacks;
  • Installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;
  • The intentional interception, storage or receipt of communications not accessible to the public or of electronic communications;
  • The deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an IT system where the participant should reasonably have known it had been obtained unlawfully.

If the participant wishes to use the assistance of a third party to carry out his or her research, the participant must ensure that the third party is aware of this policy and agrees, by offering assistance, to abide by its terms.

Confidentiality

The participant must strictly refrain from sharing or disclosing any information collected under our policy with third parties without our prior and explicit consent.

Similarly, it is not permitted to reveal or disclose computer data, communication data or personal data to third parties.

In the event that the vulnerability may also affect other organisations in Belgium, the participant or the organisation responsible may nevertheless inform the CCB (vulnerabilityreport@cert.be).

Bonafide execution

Our organisation undertakes to implement this policy in good faith and not to take legal action, either civil or criminal, against a participant who complies with its conditions.

The participant must be free of fraudulent intent, intent to harm, intent to use or intent to cause damage to the visited system or its data. This also applies to third-party systems located in Belgium or abroad.

If there is any doubt about any of the conditions of our policy, the participant must first ask our contact point (security@olympus-mobility.com) and obtain written consent before acting.

Processing of personal data

The purpose of a CVDP is not to intentionally process personal data, but it is possible that the participant may have to process personal data, even incidentally, in the course of his or her vulnerability research.

The processing of personal data is broad in scope and includes the storage, alteration, retrieval, consultation, use or disclosure of any information that could relate to an identified or identifiable natural person. The "identifiable" character of the person does not depend on the mere will of the data processor to identify the person, but on the possibility of identifying, directly or indirectly, the person by means of these data (for example: an e-mail address, identification number, online identifier, IP address or location data).

Thus, it is possible that the participant processes personal data to a limited extent. In the event of processing such data, the participant undertakes to comply with the legal obligations regarding the protection of personal data and the terms of this policy, in particular:

  • The participant undertakes to process personal data only in accordance with the instructions of our organisation, as described in this policy, and exclusively for the purpose of investigating vulnerabilities in the systems, equipment or products of our organisation. Any processing of personal data for any other purpose is excluded.
  • The participant undertakes to limit the processing of personal data to what is necessary for the purpose of vulnerability scanning.
  • The participant shall ensure that the persons authorised to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
  • The participant shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (e.g. encryption - see Reporting). The participant declares that he/she understands the risks associated with the implementation of this policy and that he/she has the necessary expertise and experience to test our organisation's systems, equipment and products safely and in compliance with applicable laws and regulations.
  • The participant undertakes to assist us, to the extent possible and taking into account the nature of the processing and the information available to the participant, in the implementation of our obligations relating to the exercise of the rights of data subjects, the security of the processing and any impact assessment.
  • The participant undertakes to inform us of any personal data breach as soon as possible after becoming aware of it at privacy@olympus-mobility.com
  • The participant may not keep any personal data processed for longer than necessary. During this period, the participant must ensure that this data is stored with a level of security appropriate to the risks involved (preferably encrypted - see Reporting). At the end of his/her participation in the policy, this data must be deleted immediately.
  • The participant undertakes to keep a register of the categories of processing activities carried out on behalf of our organisation, including a description of the security measures implemented by the participant, in accordance with Article 30, § 2 of the GDPR.

The participant may work with a third party to carry out its research. The participant shall ensure that the third party is aware of this policy and agrees, by providing assistance, to abide by its terms, including confidentiality and the implementation of appropriate security measures. The participant acknowledges that he/she remains fully responsible to our organisation if the third party he/she has engaged does not fulfil its data protection obligations.

Should the participant process personal data, stored and/or otherwise processed by our organisation, in a manner inconsistent with this policy or for purposes other than the investigation of potential vulnerabilities in our organisation's systems, products and equipment, the participant acknowledges that he/she will be considered a data controller and will assume full responsibility for the processing carried out in this way.

Reporting

Please consider the following guidelines:

  • Substantiate your findings by taking screenshots and providing clear instruction for assessing and reproducing the exploitation of the vulnerability, or by providing theoretical proof of the existence of the vulnerability
  • Provide accurate timestamps corresponding to your tests and take care to clearly indicate the timezone of your timestamps ; a good idea is to add the timezone offset to your timestamps, e.g. +0000 shows us your timestamps are in UTC.
  • E-mail your findings to security@olympus-mobility.com. Encrypt your findings using our disclosure public key to prevent this critical information from falling into the wrong hands;

Our promise

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date;
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report;
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission;
  • We will keep you informed of the progress towards resolving the problem;
  • In the public information concerning the problem reported, we will provide full credit to you as the discoverer of the problem (unless you desire otherwise);
  • As a token of our gratitude for your assistance, we offer an Olympus Mobility Security Champion coffee mug or T-shirt as per your preference.

Law applicable

Belgian law is applicable to any disputes arising from the application of this policy.

The CCB (vulnerabilityreport@cert.be) may act as an intermediary in an attempt to reconcile our organisation and the participant for problems related to the application of this policy.

Contact

Any questions regarding the Coordinated Vulnerability Disclosure Policy can be sent to security@olympus-mobility.com.