Coordinated Vulnerability Disclosure (CVD)

What to do if you encounter a vulnerability

Wortell attaches great importance to the security and reliability of its digital services and information systems. Despite careful development, management, and monitoring, vulnerabilities may still exist. Identifying and remedying these vulnerabilities in a timely manner is essential to limit risks for users, customers, and partners.

With this Coordinated Vulnerability Disclosure (CVD) policy, Wortell provides a clear and responsible framework for reporting security vulnerabilities by external researchers. We encourage the responsible reporting of vulnerabilities and strive for transparent, coordinated, and respectful cooperation with reporters.

This policy describes how vulnerabilities can be reported securely, how Wortell handles these reports, and what mutual expectations apply. Through this collaboration, security issues can be effectively resolved before abuse can occur, with minimal impact on continuity and confidentiality.

What we ask of reporters

In order to handle vulnerabilities carefully and securely, we ask reporters to adhere to the following principles:

Report

• Report the vulnerability as soon as possible after it has been identified.
• Share the report via security@wortell.com
• Preferably use encrypted communication. Our PGP public key is available at: https://www.wortell.nl/wrt-publickey.txt

Research behavior 

• Limit your research to what is necessary to demonstrate the vulnerability.
• Do not exploit the vulnerability and do not modify or delete data.
• Do not copy, view, or exfiltrate third-party (personal) data.
• Do not perform any actions that affect the availability of systems, such as (distributed) denial-of-service attacks or brute-force attempts.
• Do not share the vulnerability with third parties until it has been resolved and publication has been agreed upon.

Content of the report

• Provide sufficient technical details so that we can reproduce and assess the vulnerability (e.g., PoC, step-by-step plan, and impact analysis).
• Cooperate with any follow-up questions to determine the impact and cause.

What reporters can expect from Wortell

When you report a vulnerability under this policy, you can expect the following from us:

• A confirmation of receipt within 5 business days of receiving the report.
• A thorough technical assessment by our security specialists.
• If necessary, we will contact you for additional information or clarification.
• We will keep you informed of progress and remediation.
• Coordination regarding publication, if you wish to disclose the vulnerability.
• After resolution, we will publish a security advisory describing the impact and mitigation, if applicable.
• We treat reports confidentially and only share information with parties necessary for analysis and recovery.

Wortell appreciates the efforts of security researchers and considers responsible reporting to be an important contribution to the security of its services and customers.

Scope

This CVD policy applies to vulnerabilities in systems and services managed by or on behalf of Wortell, including:

In scope

• Wortell's public websites and web applications
• Cloud environments, APIs, and integrations
• Internally managed systems that are accessible externally
• Software and services provided by Wortell to customers

Out of scope 

• Third-party systems that are not managed by Wortell
• Physical security measures without a digital component
• Social engineering, phishing, or physical penetration testing
• Denial-of-service (DoS/DDoS) attacks

If you are unsure whether something falls within scope, please contact us in advance at security@wortell.com.

Disclosure timeline

Wortell applies the principle of coordinated disclosure: vulnerabilities are first remedied before they are made public.

• Wortell strives to remedy vulnerabilities within 90 days of notification.
• If more time is needed (e.g., due to complexity or dependencies), this will be agreed upon with the reporter.
• Disclosure will only take place in consultation with Wortell, after a fix or mitigation is available.
• In urgent situations (critical vulnerabilities), the timeline may be accelerated.

Legal due diligence (Safe Harbor)

Wortell appreciates security researchers reporting vulnerabilities in a responsible manner and considers this an important contribution to the security of its services and customers.

If you act in line with this CVD policy, Wortell will treat your report as security research conducted in good faith. In that case, we assume that your intention is to improve security and not to cause damage.

Wortell reserves the right to make its own assessment on a case-by-case basis, for example when:

• the vulnerability has been actively exploited;
• third-party data has been viewed, modified, or shared;
• the availability of systems has been disrupted;
• the vulnerability has been shared with third parties before coordination has taken place.

In all other cases, the basic principle is that responsible reporting does not lead to prejudice against the reporter and that reports are treated confidentially.