At Touch Network B.V., we consider the security of our systems very important. Despite our care for the security of our systems, it is possible that a vulnerability may still exist. If you discover a vulnerability in one of our systems, we would appreciate it if you report it to us so that we can take measures as quickly as possible. We would like to work with you to better protect our customers and our systems.
We ask you to:
• Email your findings to privacy@touchincentive.com;
• Not misuse the problem, for example by downloading more data than necessary to demonstrate the vulnerability, or by viewing, deleting, or modifying third-party data;
• Not share the problem with others until it has been resolved, and to delete any confidential information obtained through the vulnerability immediately after it has been fixed;
• Refrain from using attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications;
• Provide sufficient information to reproduce the problem so we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but for more complex vulnerabilities, more details may be required.
What we promise:
• We will respond to your report within 5 days. We will let you know whether it concerns a vulnerability previously unknown to us. If it is a new vulnerability, we will assess the risk and decide whether to implement the solution you suggested. If so, we will keep you informed about the progress of resolving the issue;
• As a thank you for your help, we offer a reward of €25 for every report of a previously unknown security issue for which we decide to implement a solution;
• If you have adhered to the above conditions, we will not take legal action against you regarding your report;
• We will treat your report confidentially and will not share your personal details with third parties without your consent, unless required to comply with a legal obligation. Reporting under a pseudonym is possible. In communications about the reported issue, we will mention your name as the discoverer only if you wish.
We strive to resolve all problems as quickly as possible and would appreciate being involved in any publication about the issue once it has been resolved.