At Jacobs Meubels, we work intensively on the security and optimization of our website and systems. Despite our effort, unforeseen vulnerabilities can still occur.

Have you found an SQL injection, XSS or CSRF vulnerability, weak encryption, information leak, authentication/authorization issue, or an other security problem on our website and do you want to report it to us? Then you've come to the right place. We are happy to work with you to protect our website visitors and we would like to receive your findings as soon as possible, so we can resolve the issue quickly.

• We won't take any legal action against you regarding your report, unless we have a strong suspicion that you have abused the found vulnerability or shared knowledge about the vulnerability with others before the vulnerability was fixed. You can rest assured that a responsible report will not lead to legal concequences.
• We will handle your report with strict confidentiality, and will not pass on your personal details to third parties without your permission. An exception to this is the police and the parquet, for legal cases or if data is claimed.
• We will immediately take action on your report. However, analyzing and determining ways to solbe the problem can take some time. You can expect a response from us with our assessment, including an estimate of the time we will require to address the issue, within three working days at max. f course, we will regularly keep you posted on our progress.
• We will resolve the vulnerability as soon as possible. Proportionality is important here: the amount of time required to fix a vulnerability depends on several factors, among which the severity and the complexity of the issue at hand.
• It is important to us to credit you for what you did - if you wish. We will mention your name or nickname in a publication regarding the vulnerability only if you agree to this. In addition to acknowledgement and eternal fame, we may also have a nice reward for you.
• Should you find a vulnerability in third party software that we use and that vulnerability is covered by a bug bounty program, we will not try to claim this bounty; both credits and reward should be yours.

• When you are investigating a vulnerability on our website or in one of our systems, bear in mind the proportionality of the attack.
• This principle of proportionality is also relevant when demonstrating the vulnerability itself. You should not inspect or modify more data then strictly necessary in order to confirm the validity of your finding. For instance, if you are able to modify our homepage, just add a single non-controversial word to it instead of taking over the entire page. If you can obtain access to a database, it suffices to show us a list of the tables that are in there, or perhaps the first record in one of these tables. With other words: do not abuse the discovered vulnerability by, for example, downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data. We also take your report seriously without 'evidence' and we will investigate any suspicion of a vulnerability.
• You can submit your findings by using the below form, or send them to security@tiepi.nl. Preferably you would encrypt your message using our public PGP key to prevent critical information from falling into the wrong hands.
• Do provide enough information so we can reproduce and investigate the issue. Usually, the URL of the affected system and a description of the vulnerability will be sufficient.
• You will not share your knowledge of the vulnerability with other parties as long as we have not addressed the issue and we are still within a reasonable timeframe since you reported the issue.
• You will delete all confidential information you have obtained during your investigation as soon as we have resolved the vulnerability.