Responsible Disclosure

We take responsibility. Will you?

At Touch Network B.V., we believe that the security of our systems is very important. Despite of our care for the security of our systems, it can happen that there is a weak spot. If you have found a vulnerability in one of our systems, we would like to hear about it. That way we can take measures as quickly as possible. We would like to work with you to better protect our customers and our systems.

We ask of you:

  • Email your findings to;
  • Not to exploit the vulnerability by, for example, downloading more data than necessary to demonstrate the vulnerability or by accessing, deleting or modifying data of third parties;
  • Not sharing the vulnerability with others until it is resolved, and immediately deleting any confidential data obtained after the vulnerability has been resolved;
  • Not to use physical security attacks, social engineering, distributed denial of service, spam or third-party applications;
  • Provide sufficient information to reproduce the vulnerability so that we can fix it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more information may be required for more complex vulnerabilities.

What we promise:

  • We will respond to your report within 5 days. We will indicate whether it is an unknown vulnerability to us or not;
  • If it is an unknown vulnerability, we will assess its risk and decide whether to implement the solution you suggest. If yes, we will keep you informed about the progress of solving the problem;
  • As a thank you for your help, we will offer a reward of up to €25 for each report of a vulnerability as yet unknown to us for which we decide to implement your proposed solution;
  • If you have complied with the above conditions, we will not take any legal action against you as a result of your report;
  • We will treat your report confidentially and will not share your personal data with third parties without your consent, unless it is necessary to do so in order to comply with a legal obligation. Reporting under a pseudonym is possible. We will only mention your name as the discoverer in reports of vulnerabilities if you wish us to do so.

Want to know more about how we safeguard you and our security? Then also read our privacy statement.

Would you like to know more about this case or are you interested in an impactful loyalty and incentive solution? Our loyalty experts know everything about it. Contact us via this form!
Do you want to stay informed of the latest loyalty news?