Responsible disclosure policy

Background, scope & purpose

Studio Plopsa attaches significant importance to the security of its data and its information systems. Nevertheless, despite our best efforts and concern, it may occur that there still are vulnerabilities that e.g., an ethical hacker or computer scientist may discover.

Studio Plopsa has therefore opted for this policy of coordinated disclosure of vulnerabilities (also known as the ‘Responsible Disclosure Policy’) so that people that discover a vulnerability can privately and securely inform us about them.

This Responsible Disclosure Policy applies only to Studio Plopsa-owned systems and applications. Unless explicitly stated, third-party services, vendors, and partners are out of scope. Testing of such systems is strictly prohibited unless Studio Plopsa has published explicit authorization.

Policy requirements

Reporting a vulnerability
Responsible disclosure reveals vulnerabilities in a responsible manner in joint consultation between you and Studio Plopsa. If you discover a vulnerability in one of our systems, you must:

  1. Report the issue by submitting the information as described below using this form.
    1. Write your message in English.
    2. Explain the issue and provide sufficient details to allow us to identify and/or reproduce the issue so that we can resolve the problem as quickly as possible.
    3. Provide additional information such as IP addresses, URLs of the affected system, screenshots, etc.
  2. Leave your contact details so Studio Plopsa can contact you if needed to work together towards a solution. Leave at least your name, e-mail address and/or telephone number. Reporting under a pseudonym is possible, but make sure that we can contact you if we should have additional questions.

Do's and don'ts that apply

Do not disclose any information regarding the security issue through other channels
Do not share information concerning the vulnerability with third parties, including before or after informing Studio Plopsa about the issue or even after it has been resolved. Such behavior will be considered irresponsible and civil law proceedings may be instituted against you. If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.

Do not abuse the vulnerability found
Acts under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities, and sharing this information with Studio Plopsa:

  • Do not take any action that is not absolutely necessary to detect a potential vulnerability or report a vulnerability.
  • Only collect the information necessary to inform us of the issue.
  • Do not copy, delete, view or modify Studio Plopsa data.

Do not perform actions that could have an impact on the proper functioning of our systems, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data. Therefore, it is e.g., not allowed to perform any of the following actions (non-exhaustive list): placing malware; copying, modifying or deleting data in a system; making changes to the system; using brute-force techniques to access a system; (distributed) denial of service attacks.

Do not use attack methods that test the physical security of our buildings and premises

Do not use attack methods that target our people (e.g., via phishing and other social engineering methods)

In case of doubt about the applicability of this policy, please contact us first via the above-mentioned contact form, to ask for explicit permission.

What we promise

  • We will respond to your report within 10 working days, with our review of the report and any expected date for resolution. We strive to solve all problems within a short period of time.
  • We will contact you again if we need any additional information.
  • We will inform you of the progress of solving the issue identified.
  • We will thank you for any report of a security vulnerability, and if such vulnerability were not yet known to us, we would like to offer you to be listed in our Responsible Disclosure Hall of Fame. We will not offer any other form of compensation.
  • We will treat your report confidentially and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation.

Further considerations

We reserve the right to ignore low quality reports, including those that report vulnerabilities that are negligeable in terms of risk.
If you find a vulnerability, but do not follow the responsible disclosure rules set out above, we reserve the right to take action or legal proceedings and/or to report the matter to the police.

We reserve the right to change the content of this Policy at any time or to terminate the Policy.

Legal safe harbour

If you comply with this policy and act in good faith:

  • Studio Plopsa will not initiate legal action against you.
  • We consider your research authorized under applicable laws, including the Computer Misuse Act, GDPR, and relevant Belgian/EU cybersecurity legislation.
  • We will work with you to clarify any misunderstandings and resolve issues quickly.

Note: Legal protection does not extend to actions that intentionally compromise data confidentiality, system availability, or operational continuity. We reserve te right to report any action not compliant with this policy to the local authorities.

If you comply with this policy, your security research will be considered authorized under Belgian law and EU directives, including NIS2. Studio Plopsa will not pursue legal action against you, nor will we refer your actions to law enforcement, provided that your actions remain within scope and do not intentionally cause harm.