Reporting vulnerabilities

The European Consumer Centre (ECC) strives to ensure that our website is a safe place for everyone. However, it is possible that a vulnerability might occur. If you find a vulnerability in our systems, please let us know so that we can take quick action. In our responsible disclosure, you can read more about how to report a vulnerability. We are happy to work with you to better protect our users and systems.

Report vulnerability

Did you find a vulnerability in one of our systems? Report it directly using our secure form.

I want to make a report

What is a vulnerability?

A vulnerability is a deviation that can lead to an unsafe situation. A weak spot can impact the availability, integrity, or confidentiality of information. For example, you might gain access to our systems and thus to confidential information. This is, of course, not intended.

Do you spot a typo or something else that does not cause unsafe situations but still needs to be fixed? Then contact the web editorial team by sending an email to @email 

Rules for reporting a vulnerability

There are a few rules for reporting a vulnerability. Read below to understand what we expect from you and what you can expect from us.

  • Test our website responsibly. Only do what is necessary to find a bug, leak, or other type of vulnerability.
  • Do not exploit the vulnerability. For example, do not download more data than needed to demonstrate the leak, and do not view, delete, or modify third-party data.
  • Follow the rules to avoid legal procedures.
  • Use our secure messaging system to report the vulnerability.
  • Report the vulnerability as soon as you discover it.
  • Clearly explain the issue so we can resolve it quickly. Typically, providing the IP address or URL and a brief description is sufficient. Screenshots are also helpful. The more complex the issue, the more information we may need.
  • Do not disclose the discovered vulnerability to others until the issue is resolved.
  • Share your email address with us so we can contact you.

#what-we-expect-from-you

Copied to clipboard!

  • Sending harmful software (malware).
  • Copying, modifying, or deleting data on our website or in our systems.
  • Downloading more data than necessary to demonstrate the vulnerability.
  • Modifying codes or information in systems.
  • Hacking the system repeatedly or persistently.
  • Sharing vulnerabilities with others.
  • Attempting to forcefully access our website through brute force.
  • Conducting Denial of Service (DOS) attacks.
  • Engaging in social engineering (psychological manipulation).

#not-allowed

Copied to clipboard!

  • Your personal data is safe with us. The information you share with us will not be shared with others unless required by law or a court.
  • You will be credited for reporting the vulnerability. We will place your name and the report on our Wall of Fame, but only with your permission.

After reporting a vulnerability, you can expect the following from us:

  • Within 5 working days, you will receive a response, and we will inform you about what we plan to do with your report. If it takes a long time to resolve the issue, you will receive updates on the progress.
  • You will have the opportunity to decide with us if and how the problem will be made public. Note: We only disclose information after the problem has been resolved.

#what-can-you-expect-from-us

Copied to clipboard!

Practical information

You can report a vulnerability to us through our secure messaging system. Please include the following information in your email:

  • Name (optional)
  • Email address
  • Type of vulnerability, for example:
    • Injection
    • Broken authentication
    • Exposure of sensitive data
    • XML External Entities (XXE)
    • Security misconfigurations
    • Cross-site scripting (XSS)
    • Broken access control
    • Insecure deserialization
    • Availability
    • Integrity
    • Confidentiality
    • Other
  • A clear description of the vulnerability
  • An explanation of why the discovered vulnerability is worth reporting

#report-vulnerability

Copied to clipboard!

We handle personal data and the information you share with us with care. Below, you can read why we ask for certain information and what we do with it.

  • Why do we ask for your name and email address? 
    We ask for your name and email address so we can contact you regarding your report. If you prefer to remain anonymous, that's fine; providing your name is not required. However, we do need an email address to get in touch with you.
     
  • How is your data processed? 
    We use your data and information solely to resolve the issue with you. Once the issue is resolved, we anonymize your data. We use a secure messaging system to receive reports and do not share your personal data with third parties unless required by law or a court order.
     
  • What are your rights? 
    Under privacy regulations, you have various rights. You can read more about these rights in our privacy statement.

#personal-data-processing

Copied to clipboard!

Our policy is based on the Coordinated Vulnerability Disclosure guidelines from the NCSC and the example policy by Floor Terra, which is published under a Creative Commons Attribution 3.0 license.

#policy

Copied to clipboard!