Conditions for reporting vulnerabilities
Do I need to see the doctor? (Moet ik naar de dokter: hereinafter referred to as MINDD) is managed by MINDD B.V., with registered offices in Apeldoorn and registered with the Chamber of Commerce under number 55280021.
At MINDD trust comes first and we take the protection of our customers’ data very seriously. We therefore encourage anyone who finds vulnerabilities in our systems to report these. Please read these terms carefully before running a test and/or reporting a vulnerability.
To take advantage of MINDD’s Responsible Disclosure terms, you are required to:
- limit research to the items described under the ‘The following items are subject to these terms and conditions’ heading;
- prevent breaching privacy regulations, modify the user experience, disrupt production environments and destroy data during your security testing;
- keep information about any vulnerabilities you discover confidential between you and MINDD until MINDD is able to resolve the vulnerability within our indicated resolution time frame.
If you comply with these conditions we will:
- acknowledge receipt of your report within 72 hours;
- provide an estimated resolution time for the vulnerability as soon as possible;
- notify you when the vulnerability has been resolved;
- not take any legal action in relation to your report.
You can report vulnerabilities by:
- sending an email to firstname.lastname@example.org;
- providing as much information about the vulnerability as possible, allowing the MINDD security team to confirm and reproduce the problem.
The following are covered by these terms and conditions:
- The native Do I need to see the doctor? iOS and Android apps.
- The Do I need to see the doctor? widget.
- The Do I need to see the doctor? API.
The following matters are not covered by these terms and conditions and are not permitted:
- the testing of services hosted by third parties (providers and service providers) without complying with the conditions set by these parties for testing;
- the testing of applications which are not managed by Do I need to see the doctor?;
- physical testing, like entering offices or computer rooms without permission;
- social engineering, like phishing, for example;
- the testing of applications and systems not mentioned under the ‘The following are subject to these terms and conditions’ heading;
- denial of service (DoS/DDoS) vulnerabilities;
- automated testing which will result in large amounts of traffic;
- more detailed testing than is necessary for a “proof of concept”;
- the (attempted) destruction of, or damage to, data or information which you do not own.