We have to face the fact that vulnerabilities may occur even in our systems. We would be very grateful if we could enlist your help to detect such vulnerabilities. We open ourselves up to experts to support us by reporting found possible vulnerabilities to us.
Who can report a vulnerability?
Anyone who discovers a possible weak spot in the Van Lanschot Kempen systems can report a vulnerability.
What is the scope?
The responsible disclosure programme covers only the following domains (and all underlying subdomains):
Which vulnerabilities can you report?
You can report problems related to the security of services that Van Lanschot Kempen offers online. Examples of vulnerabilities that can be reported include:
How do you make a report?
Have you discovered a vulnerability? Please contact us as soon as possible by sending an email message to: email@example.com.
Please describe the security problem you have discovered in as much detail as possible. Your report will be read by specialists, so you can use technical terminology and be specific wherever necessary.
You are free to include your contact details (name and possibly your telephone number) or to make an anonymous report.
What will we do with your report?
A team of security experts will investigate your report and will provide an initial response within two working days. In the meantime, please keep the issue confidential, discuss it with our experts, and give them time to resolve the problem. We will inform you of our assessment of your report, and we will let you know whether and when we will apply a solution.
As a token of our gratitude for your assistance, we offer a reward for every report of a vulnerability that we are actually able to resolve or that leads to a change in our services. Van Lanschot Kempen will determine, at its discretion, whether your report qualifies for a reward and what would be commensurate. In the event that your report qualifies, we will need your personal particulars in order to effect payment.
Please note: You are free to make an anonymous report. It is important to note, however, that in this event, we will not be able to make arrangements with you regarding the follow-up of your report, any possible reward, or whether or not charges will be pressed. (Please refer to ‘What are the rules?’)
What are the rules?
While investigating the vulnerability you have discovered, you may have inadvertently committed a criminal offence. If you act in good faith, with integrity, and in careful compliance with the rules as stated below, the bank will have no reason to press charges. It is, therefore, important that you abide by the following rules when investigating a possible vulnerability:
If you would like to be informed on the follow-up of your report, you can choose to provide us with your contact details (name, email address, possibly your telephone number). We will not disclose your identity to any third party without your prior consent, nor will we use your personal details for any purpose other than to process your report appropriately, unless a legal obligation mandates disclosure of that information. We will protect your personal data in compliance with the guidelines as described in the Personal Data Protection Act (WBP).
Miscellaneous terms and conditions
All matters related to internet security and privacy are governed by Dutch law. We can only accept reports that are drawn up in Dutch or English.