Back to homepage

Responsible Disclosure Policy

This is the Responsible Disclosure Policy of Teal Partners. Teal Partners is a private company with limited liability under Belgian law, with registered offices at Damplein 23, 2060 Belgium, and which is registered at the Crossroads Bank of Enterprises under company number 0642.824.542 ("Teal Partners", "we", "our").

Last update of this policy is mentioned at the bottom of this document. This policy may be adapted, modified or supplemented at any time, as well as terminated. We therefore advice you to regularly check this document.

Introduction

Teal Partners considers the security of our systems and data a top priority.

No matter how much effort we put into the security of our systems and data, vulnerabilities can still be present. Should you discover a security vulnerability, we ask you to report the vulnerability to us through the process of coordinated disclosure of vulnerabilities as described in this policy, also known as responsible disclosure. By doing this, we can safely take steps to address the security vulnerability as quickly as possible to improve the security of our systems and data.

Scope

List of the websites within the scope of this policy:

• www.tealpartners.com
• www.youbo.io
• www.viren.be

Systems dependent on third parties are outside the scope of this policy, unless these third parties explicitly agree in advance to these rules.

Which security vulnerabilities can be reported?

The responsible disclosure process is intended for reporting suspected vulnerabilities in our systems, including our websites - www.tealpartners.com and www.youbo.io - that can be abused and/or lead to amongst others:

• the theft of (personal or non-personal) data;
• unauthorised modification or deletion of data;
• interruption or modification of access to our systems;
• disruption of the proper functioning of our systems; or
• etc.

The responsible disclosure process is not intended for reporting:

• questions about the functioning of our systems; and
• notifications about viruses, phishing emails, email fraud, etc.

How to report security vulnerabilities?

• Please report the security vulnerability as soon as possible after discovery, exclusively through [email protected] and preferably in Dutch or in English;
• Make use of an encrypted mail to prevent the information from falling into the wrong hands;
• Describe the problem in sufficient detail, and include any necessary evidence;
• Leave your contact details, so that we can contact you. Leave at least your name, e-mail address and/or telephone number. Reporting under a pseudonym is possible, as well as providing us with an email address leading to an anonymous mailbox, but make sure that we can contact you if we should have additional questions;
• Confirm that you have acted and will continue to act in accordance with this Responsible Disclosure Policy;
• Only notify Teal Partners of your findings and only via this process. Do not publish details about the security issue through other channels. Making the vulnerability known through other channels or the media, whether before or after notifying Teal Partners via this process, will be considered irresponsible disclosure and will lead to the filing of criminal charges;
• Do not exploit the identified vulnerability. Only collect the information necessary to demonstrate its existence. Do not change or delete any data or system settings;
• Always operate within legal boundaries when identifying potential security vulnerabilities. Amongst others the following actions are not permitted:
• copying or altering data from the IT system or deleting data from that system;
• changing the IT system parameters;
• installing malware: viruses, worms, Trojan horses, etc.;
• Distributed Denial of Service (DDOS) attacks;
• social engineering attacks;
• phishing attacks;
• spamming;
• stealing passwords or brute force attacks;
• installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;
• the intentional interception, storage or receipt of communications not accessible to the public or of electronic communications;
• the deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an IT system where the participant should reasonably have known it had been obtained unlawfully.

These actions are strictly prohibited because they can cause harm to Teal Partners, its staff or its clients. Therefore in any event they will be considered and treated as targeted attacks.

In these and other cases, Teal Partners will not guarantee that you will not be prosecuted since there is a risk that the authorities will take the necessary measures in response to such attacks. In any case, in those circumstances Teal Partners itself will also consider filing criminal charges.

What happens to reported vulnerabilities?

• If you have provided any contact information, we will respond to your message as soon as possible;
• We will treat your report confidentially and we will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation;
• We will do everything possible to resolve any shortcomings as quickly as possible, and we will keep you informed throughout the process (if contact information was provided);
• We may choose to ignore low quality reports;
• We will not undertake any legal action provided that you accept and actually apply all the rules of this policy;
• In any case, Teal Partners will never grant rewards for any discovered vulnerabilities.

Further information

If you have any questions or remarks regarding this policy, please contact us through [email protected].

In case of doubt about the applicability of this policy, please contact us first via the above email address in order to ask for explicit permission.

Applicable law

Belgian law shall apply to any disputes relating to the application of this policy.

Last updated: 25 January 2024