As a service provider to financial institutions, Yellowtail Conclusion places a high priority on the privacy and security of its clients. We ensure that all personal data processed through our systems is in safe hands. To achieve this, we regularly conduct tests and actively scan our applications and infrastructure for potential vulnerabilities.
However, it is possible that a weakness may still exist in one of our systems. If you discover such a vulnerability, we kindly ask that you report it to us so that we can take appropriate action as quickly as possible.
How can you report vulnerabilities?
You can report vulnerabilities by sending an email to: cvd@yellowtail.nl.
When doing so, we ask that you please:
- Describe the vulnerability as clearly and completely as possible, including the steps to reproduce it, the URL/IP address involved, and the potential impact. Providing a possible solution is appreciated.
- Do not exploit the vulnerability, for example by accessing more data than necessary to demonstrate the issue.
- Do not share the vulnerability with others until the issue has been resolved.
- After you receive confirmation that the vulnerability has been resolved, please delete any data you may have obtained during your investigation.
- Do not make any changes to the system (such as installing backdoors).
- Vulnerabilities resulting from social engineering, physical attacks, DDoS, brute force attacks, spam, malware, or third-party applications are considered outside the scope of this policy.
Reporting anonymously or under a pseudonym is allowed, if preferred.
How does Yellowtail Conclusion handle your report?
We will assess the report to determine the severity and scope of the issue. Following this assessment, our Security Officer, Service Manager, and our system administration and development teams will determine and implement appropriate mitigating measures based on the risk level.
What do we promise you?
- Your report will be evaluated within 5 working days.
- We will not take legal action against you as a result of your report, provided you have complied with the conditions listed under “How can you report vulnerabilities?”
- Your report will be treated confidentially. We will not share your personal data with third parties, unless required to do so by competent authorities.
- You will be kept informed of the progress toward resolving the vulnerability.
- If you wish, we can publicly credit you as the discoverer of the vulnerability when it is disclosed.
- If your report leads to the successful resolution of a system vulnerability, we would be happy to reward you with a €50 gift voucher.
