Proximus vulnerability disclosure policy

Guidelines for reporting security vulnerabilities

Reporting vulnerabilities

We value the expertise and help of the cyber security community in helping us maintain our high security standards. You can use this site to report any suspected security vulnerabilities related to our services or products.

If you are aware of a vulnerability that could affect Proximus’s services or products, please contact us via the link disclosed under “How to Report a Vulnerability”. Our security specialists will review all submissions and, where required, work with you to make sure we are able to fix any potential issues as quickly as possible.

Rules of engagement

Vulnerability disclosure policy guidelines

In order to improve the performance and security of our networks and information systems, we have adopted a coordinated vulnerability disclosure policy. This policy gives reporters the opportunity to search for potential vulnerabilities in our organisation's systems, equipment and products with good intentions or to pass on any information they discover about a vulnerability.

However, access to our IT systems and equipment is only permitted with the intention of improving security, informing us of existing vulnerabilities and in strict compliance with the other conditions set out in this document.

Our policy concerns security vulnerabilities that could be exploited by third parties or disrupt the proper functioning of our products, services, networks or information systems.

The reporter is also permitted to introduce or attempt to introduce data into our computer system, subject to the purposes and conditions of this policy.

Our organisation undertakes to implement this policy in good faith and not to take legal action, either civil or criminal, against a reporter who complies with its conditions.

The reporter must be free of fraudulent intent, intent to harm, intent to use or intent to cause damage to the visited system or its data. This also applies to third-party systems located in Belgium or abroad.

If there is any doubt about any of the conditions of our policy, the reporter must first ask our contact point and obtain its written approval before acting.

The reporter undertakes to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to make use of the vulnerability beyond what is strictly necessary to demonstrate the security flaw. Their approach must remain proportionate: if the safety problem has been demonstrated on a small scale, no further action should be taken.

The objective of our policy is not to allow intentional knowledge of the content of data, communication data or personal data, and such knowledge could only occur incidentally in the context of the search for vulnerabilities.

  • Do submit your reports in English
  • Do exercise caution and restraint with regard to personal data and do not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks, physical attacks on any Proximus property or spamming or otherwise causing a nuisance to other users.
  • Do provide Proof-of-Concept or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.
  • Do not abuse the vulnerability by causing disruption through your actions.
  • Do not share information about the vulnerability with others until it has been resolved in accordance with the Proximus Responsible Disclosure policy timeframes.
  • Do submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Suspected security vulnerabilities that can be misused for illegal purposes and which occur:
  • On our sites (www.proximus.com; www.proximus.be; www.scarlet.be; www.tango.lu; www.bics.com; www.telindus.com & www.skynet.be)
  • Within our products and services, IT-systems and networks.
  • Systems that are dependent on third parties are excluded from the scope of this policy, unless the third party explicitly agrees to these rules in advance.

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

The following actions are not allowed:

  • copying or altering data from the IT system or deleting data from that system;
  • changing the IT system parameters;
  • installing malware: viruses, worms, Trojan horses, etc.;
  • Distributed Denial of Service (DDOS) attacks;
  • social engineering attacks;
  • phishing attacks;
  • spamming;
  • stealing passwords or brute force attacks;
  • installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;
  • the intentional interception, storage or receipt of communications not accessible to the public or of electronic communications;
  • the deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an IT system where the reporter should reasonably have known it had been obtained unlawfully.
  • Treat submitted reports confidentially and will not share the finder’s personal details with third parties without their authorisation, unless required in order to do so to comply with legal obligations.
  • Proximus appreciates your help in optimizing the security of its systems and networks and will get in touch with you within 2 working days. It goes without saying that we can reach you via the e-mail address or other contact information you left behind. We also keep you informed of further developments.
  • Proximus does not operate a bug bounty or hall of fame programme.

The processing of personal data is broad in scope and includes the storage, modification, retrieval, consultation, use or disclosure of any information that may relate to an identified or identifiable natural person. The "identifiable" character of the person does not depend on the simple will of the data processor to identify the person but on the possibility to identify, directly or indirectly, the person with the help of these data (for example: an email address, identification number, online identifier, IP address or location data).

In this case, make sure that you comply with your obligations regarding the protection of personal data (GDPR) as a data controller - e.g.: respecting principles of necessity & proportionality, implement adequate security measures.

You should delete any personal data immediately at the end of the reporting procedure or in the event of a challenge or legal proceedings, upon the end of the proceedings in case the personal data would be relevant in such a context.

You guarantee to not further disclose, use, or misuse any personal data obtained or processed under this policy.

Should you process personal data, stored and/or otherwise processed by Proximus, in a manner inconsistent with this policy or for purposes other than the investigation of potential vulnerabilities in Proximus’ systems, products and equipment, you acknowledge that you will be considered a data controller and assume full responsibility for the processing carried out in this way.

If you want to report any other type of issue, please follow : CSIRT RFC2350 Description version 1.9

How to report a vulnerability?

Please help us by providing as much information as possible about the problem you have discovered. If you have not yet done so, please remember to review our rules and guidelines previously announced before submitting the information.

Report a vulnerability