Responsible Disclosure Policy

Responsible Disclosure Policy
Introduction
At FMO Solutions, we take the security of our systems and our customers’ data very seriously. If you discover a potential vulnerability, we ask you to report it responsibly so that we can investigate and resolve it together.
This policy is intended to encourage responsible and constructive reporting — it is not a bug bounty program.
Principles
The security of our systems and the protection of our customers’ data are of great importance to us. Despite our efforts, vulnerabilities may still exist.
This policy is intended for ethical researchers and responsible users who want to help us improve the security of our systems. Malicious activity is explicitly outside the scope of this policy.
What we ask from you
If you discover a vulnerability, we ask you to:
  • Send your findings by email to info@fmo-solutions.nl. We will then contact you to agree on a safe and appropriate way to share further details.
  • Not exploit the vulnerability beyond what is necessary to demonstrate the issue. For example, do not download more data than strictly required and do not modify or delete data belonging to others.
  • Not share the problem with others until it has been resolved.
  • Not perform attacks that cause damage, such as physical attacks, social engineering, denial of service, or spam.
  • Provide sufficient information to reproduce the problem. This usually includes the IP address or URL of the affected system and a clear description. For complex vulnerabilities, additional explanation may be necessary.
Quality and scope of reports
To help us assess your report effectively:
  • Focus on reproducible and verifiable issues.
  • Ensure findings are specific to FMO Solutions systems or configurations.
  • Provide clear evidence of the potential security impact.
  • Avoid submitting AI-generated, automated, or bulk reports that have not been manually validated or confirmed to apply to our environment.
Reports that do not meet these quality criteria may be closed without further review or reward.
What we promise
When you report a vulnerability in line with this policy:
  • You will receive a response within two weeks with our initial evaluation and an expected timeline for resolution.
  • We will not take legal action against you in relation to your report.
  • We will treat your report confidentially and will not share your personal details without your permission.
  • We will keep you informed of the progress in resolving the issue.
  • We will mention your name as the discoverer in our communications about the issue, unless you prefer to remain anonymous.
  • You may receive a reward for a report that demonstrates a clear, verifiable, and previously unknown impact on the security of our systems.
    Rewards are discretionary and depend on the severity, quality, and relevance of the report. The minimum possible reward is a €50 gift voucher, but only for reports that meet the above criteria.
Out of scope
The following are considered out of scope:
  • Social engineering (e.g., phishing or misleading employees)
  • Physical attacks on buildings or equipment
  • Denial of service attacks
  • Automated or large-scale scans that disrupt the availability of systems
  • AI-generated or automated reports without manual validation
  • Reports not directly related to FMO Solutions systems or configurations
Our goal
We aim to resolve all issues as quickly as possible. We highly value collaboration with researchers and users and aim to play an active role in the eventual publication of findings once the issue has been resolved.