Responsible Disclosure Guidelines outlines the voluntary program through which Baloise Belgium engages with individuals (unrelated to Baloise and its 3rd party service providers) who identify and report potential security vulnerabilities on the Baloise Systems. These guidelines provide direction for identifying and submitting information regarding potential vulnerabilities to Baloise Belgium and its subsidiaries and apply only to vulnerabilities affecting systems owned or controlled by Baloise Belgium, not to those systems impacting any other 3rd party service providers, including those owned or controlled by Baloise Belgium's clients, business partners, or others.
Reporting parties must submit their information at responsibledisclosure@baloise.be. This mailbox will be checked periodically. By reporting a vulnerability the reporter accepted the terms of service.
The Scope of the responsible Disclosure Guidelines applies to all systems, applications, and services owned, operated, or managed Baloise Belgium or its subsidiaries. This includes, but is not limited to:
- Web applications
- Mobile applications
- APIs
- Cloud services
This does not include any other entities of the Helvetia Baloise Group, such as (but not limited to) Baloise Luxembourg, Baloise Germany, …
To be accepted and validated, the report must include the following information:
- Contact email address
- Vulnerability description
- Vulnerability locations
- step-by-step instructions or proof of concept to replicate the issue
- Source of information
- whether the information has been published or shared with others
Nice-to-Haves:
- Recommended fix (If known by the reporter)
- Assumed impact if exploited
- CVSS v4.0 vector
- Baloise Belgium will only respond to privately disclosed vulnerabilities and may publish details of the vulnerabilities in the Baloise hall of fame.
- Baloise Belgium does not provide for monetary or other compensation in exchange for information about potential security vulnerabilities under this Responsible Disclosure Program.
- Baloise Belgium may choose not to pursue, contact, or otherwise interact with the reporters who decline to identify themselves when making a report.
- Baloise Belgium will deal in good faith with the reporting parties who comply with these Responsible Disclosure Guidelines.
- Baloise Belgium may choose to disregard submissions by parties who submit a high volume of low-quality reports.
- Baloise Belgium goes from the expectation that all reports are done in good faith. Baloise reserves the right to take action whenever this would not be the case.
For parties conducting security research and vulnerability disclosure activities on Baloise systems in accordance with these Responsible Disclosure Guidelines:
- Baloise Belgium will not initiate or recommend any law enforcement or civil lawsuits related to such activities.
- In the event of any law enforcement or civil action brought by anyone other than Baloise Belgium, Baloise Belgium will take reasonable steps to make known that the activities of the affected parties were conducted pursuant to and in compliance with these Responsible Disclosure Guidelines. (Safe harbor)
Activities conducted under these Responsible Disclosure Guidelines must be limited exclusively to:
- Testing to detect a potential vulnerability or to identify an indicator related to a potential vulnerability; or
- Sharing information with Baloise Belgium, or receiving information from Baloise Belgium, related to a potential vulnerability.
Baloise Belgium does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity. If you engage in any activities that are inconsistent with these Responsible Disclosure Guidelines or any applicable law, you may be subject to criminal and/or civil liabilities/penalties.
Parties conducting activities subject to the Responsible Disclosure Guidelines must do no harm, including but not limited to:
- Exploiting any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists;
- Intentionally accessing the content of any communications, data, or information transiting or stored on Baloise Belgium network(s) or system(s);
- Compromising the privacy or safety of Baloise Belgium employees, customers, or any third parties;
- Intentionally compromising the intellectual property or other commercial or financial interests of Baloise Belgium, its employees, customers, or any third parties;
- Posting, transmitting, uploading, linking to, sending, executing, or storing any malicious software on any Baloise Belgium network(s) or system(s).
- causing or attempting to cause a Denial of Service (DoS) condition
- Copying, modifying or deleting data in a system
- Making changes to a system
- Using the so-called “brute force” of access to systems, stealing passwords
- installing malware: viruses, worms, Trojan horses, etc.
- social engineering attacks
- phishing attacks
- spamming
- installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;
- the intentional interception, storage or receipt of communications not accessible to the public or of electronic communications;
Reporting parties must give Baloise Belgium the opportunity to correct a potential vulnerability within a reasonable timeframe and are prohibited from publicly disclosing the identified issue.
Parties conducting activities under this Responsible Disclosure must comply with all applicable federal, state, and local laws related to security research activities or any other activities under these Responsible Disclosure Guidelines.
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any non-Baloise Belgium entity, such non-Baloise Belgium entity may independently determine whether to pursue legal action or remedies related to such activities.