Responsible Disclosure
Security is core to what we build. If you believe you have found a security vulnerability in our website or services, we want to hear from you and will work with you to resolve it.
How to report
- Email security@sovereignaigrid.nl (or nick@sovereignaigrid.nl).
- Include: a description of the issue, the steps to reproduce it, the affected URL/component, its potential impact, and how we can reach you.
- Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.
What is in and out of scope
In scope
sovereignaigrid.nl and our gated demonstration environment at medical.sovereignaigrid.nl.
Out of scope
denial-of-service (DoS/DDoS), social engineering or phishing of our staff, physical attacks, spam, and automated scanner output without a demonstrated, reproducible proof of concept.
Protection for good-faith researchers
We will not pursue or support legal action against researchers who act in good faith and in accordance with this policy: stay within scope, avoid privacy violations, data destruction and service degradation, only interact with accounts you own or have explicit permission to test, and give us a reasonable time to remediate before any disclosure. If you follow this policy we will consider your research authorised.
What you can expect from us
- We aim to acknowledge your report within 3 business days.
- We will keep you informed of our progress toward a fix.
- With your consent, we are happy to credit you once the issue is resolved.
- We do not currently operate a paid bug-bounty programme; we offer recognition and our thanks.
A machine-readable contact is published at /.well-known/security.txt.