Responsible disclosure policy

At DPG Media, data security and system security are very important. Despite our diligent protection, vulnerabilities may still occur. Should you find a weak spot in one of our systems, we would love to hear about it in order to take the necessary precautions as quickly as possible. Together with you, we want to improve our system, data and user protection.

On this page you will find

  • the point of contact where you can report vulnerabilities
  • the procedure for submitting a report
  • the agreements you must adhere to
  • what we promise when we respond to your report
  • the scope and applicable law of our policy

1 Point of Contact

Send an email with your findings and contact information exclusively to

2 Procedure

2.1 Report

  • Report your findings promptly and exclusively to the abovementioned point of contact.
  • Provide us with sufficient information about the issue to allow us to reproduce and resolve it as quickly as possible. In most cases the affected system’s IP address or URL (web address) will suffice, together with a description of the vulnerability. However, more complex security issues may require additional information.

2.2 Communication

  • We will send you a delivery notification within ten days. This email will also contain information regarding your confidentiality obligation and the next steps in the procedure.
  • We will inform you in due time about our progress in finding a solution to the issue.

2.3 Research

  • During this phase we will verify your report by reproducing the vulnerability.
  • We will also accurately assess the severity of the reported security issue.

2.4 Solution

The goal of our responsible disclosure policy is to find solutions before more extensive damage could be inflicted. We will try to fix this problem as quickly as possible, according to the risks related to the vulnerability.

3 Agreements

3.1 Your research

We kindly ask you

  • not to abuse the security issue by downloading, copying, viewing, deleting, editing or relocating more information than needed to demonstrate the security issue
  • not to share confidential data –which you may have found through the vulnerability– with third parties, and to immediately delete this data once we have resolved the security issue
  • not to use physical attacks on security, social engineering, distributed denial of service, spam, brute force or third-party applications (including scan tools)
  • not to install malware (viruses, worms, Trojans etc.)
  • not to alter the system
  • not to violate the confidentiality, integrity, availability and performance capacity of our systems.

You may come across confidential information during your research. We are aware of this. However, obtaining such information should not be the purpose of your research – it can only be an accidental consequence of tracing security issues.

3.2 Your disclosure

If you wish to disclose a security issue to third parties, we ask you

  • only to do so after we have resolved the issue
  • to notify us at least one month in advance, giving us a chance to respond
  • to include us in coordinating how the issue will be disclosed
  • not to identify DPG Media or any subsidiary brands in your disclosure, neither directly nor indirectly, without our explicit consent.

4 Our promises

  • We will respond to your report within ten days.
  • We will inform you about our progress towards resolving the issue.
  • We will try to fix the issue as quickly as possible.
  • If you comply with the abovementioned agreements, we will not take any legal actions against you.
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission unless it is proven necessary to comply with legal obligations.
  • When we disclose the reported issue we will mention your name as the discoverer, but only with your explicit approval.

5 Scope and applicable law

If a dispute arises about the application, compliance with or interpretation of this policy, and an amicable settlement cannot be agreed upon, then the dispute will be submitted to the authorized court in Antwerp. The Belgian law is applicable.

This text is deducted from “Responsible Disclosure” by Floor Terra, used under a Creative Commons Attribution 3.0 license.