Security & Vulnerability Disclosure

Vulnerability Disclosure Policy

At Thomas More, we consider the security of our systems and data to be of paramount importance. Despite our care for security, vulnerabilities can still occur. If you discover a weak spot in one of our systems, we would like to hear about it so that we can take measures as quickly as possible. We look forward to collaborating with you to better protect our systems, data, and users.

Point of Contact

Please email your findings and contact details to security@thomasmore.be. To secure the communication, you can use our PGP public key.

Reporting

When reporting a vulnerability, please include:

1. Description: A clear description of the vulnerability
2. Assets impacted: IP addresses, URLs and other relevant resources
3. Steps to Reproduce: Detailed steps that allow us to reproduce the issue
4. Impact: An explanation of the potential impact of the vulnerability
5. Proof of Concept: Supporting materials (screenshots, logs, etc.) that demonstrate the issue
6. Your Contact Information: How we can reach you for follow-up questions

Our Commitment

When you report a vulnerability, we commit to:

• Acknowledge receipt of your report within a reasonable timeframe
• Verify your report and assess the severity of the reported security issue

If the security issue is confirmed, we commit to:

• Keep you informed about our progress in resolving the issue

What We Ask of You

It is expected that you handle the discovered vulnerability with care. Specifically, we expect you:

• Not to exploit the security issue by downloading, copying, viewing, deleting, modifying, or making unavailable more data than is strictly necessary to demonstrate the leak.
• Not to share confidential data found through the vulnerability with others and to delete it immediately after we have resolved the security issue
• Not to use physical security attacks, social engineering, denial of service (DoS/DDoS), spam or social engineering of our employees or students
• Not to place any malware (viruses, worms, trjans, etc)
• Not to make any changes to the systems
• Not to compromise the confidentiality, integrity, availability and performance of our systems

Thomas More's Commitment

We will not pursue legal action against researchers who discover and report vulnerabilities in accordance with this policy. We will treat your report confidentially and will not share your personal data with third parties without your permission, unless necessary to comply with a legal obligation.