Responsible Vulnerability disclosure Policy

1Introduction

1.1 Purpose

Vulnerability disclosure is the process of revealing vulnerabilities. This Vulnerability disclosure is subject to this responsible vulnerability disclosure policy i.e. revealing vulnerabilities after Brussels Airport Company have cooperated with the security researcher to develop a patch based on the finding of the security researcher wrt. a vulnerability in Brussels Airport Company environment. This policy wants to provide the security researcher with a framework for submitting vulnerabilities to Brussels Airport Company. By having a vulnerability disclosure policy Brussels Airport Company wants to:

  • Streamline the vulnerability reporting process

  • Show its commitment to information security and data protection

  • Build trust among stakeholders and customers

  • And establish a set of rules for security researchers and ethical hackers to follow when testing its services and digital infrastructure.

This policy applies to any security researcher, referred to as researcher in this document, reporting a vulnerability.

By having a responsible vulnerability disclosure policy, Brussels Airport Company stipulates its willingness to collaborate with external partners to improve its security posture and provides researchers with a framework for reporting vulnerabilities.

The conditions outlined in this policy are only applicable to persons whose intention is to improve Brussels Airport’s security posture, and to inform us of existing vulnerabilities and to act in strict compliance with the other conditions set out in this document.

1.2 Scope

Internet facing assets (such as, but not limited to, websites, mobile applications, or API’s) in scope of the vulnerability disclosure process are websites related to the brusselsairport.be domain. This policy is applicable to all websites and subdomains where it is published. Systems depending on a 3rd party are not in scope of this policy. The responsible vulnerability disclosure of the 3rd party  applies. However, if the security researcher realizes the 3rd party has no applicable responsibility disclosure policy, Brussels Airport Company encourages the security researcher to get in touch and will help him to reach the 3rd party for contributing to its societal duty of improving the  cybersecurity posture of our industry.

If you have any questions about the scope of this policy, please contact the Cyber Security team vulnerabilities@ictsecurity.brusselsairport.be.

2. Mutual obligations of the parties

2.1     Legal framework

Researchers shall at all times comply with the law of 18 October 2024 regarding the security of network- and information systems (NIS2-law), and in particular articles 30-38 of said legislation. In that respect, researchers shall observe and comply with the conditions below:

  • The researcher must act without any fraudulent intent or intention to cause harm.

  • The researcher has the necessary expertise and experience to test our organisation's systems, equipment, and products safely and in compliance with applicable laws and regulations.

  • The researcher must promptly inform BAC about the discovery of a potential vulnerability.

  • The researcher may not exceed what is necessary and proportionate to confirm the existence of a vulnerability.

  • The researcher will never make use of total or partial disclosure for any reason, not even scientific reasons (being the first to publish) or intellectual property reasons (such disclosure will disqualify the researcher and will expose him to liability)

  • The researcher may not disclose any information about the discovered vulnerability without the consent of Brussels Airport Company.

Researchers acknowledge and accept that any other potential liability arising from actions or omissions that are not necessary to carry out the reporting procedure referred to in Article 62/1 of the NIS-law and which do not meet the conditions set out in article 62/2, §1 of the NIS-law (as summarized above) will remain subject to the applicable law, including the criminal offence of hacking as set out in article 550bis of the Belgian Penal Code.

2.2 Proportionality

Further to the above, researchers commit to comply to the principle of proportionality in all their activities, i.e., not to disrupt the availability of the services in scope and not to exploit vulnerabilities beyond what is strictly necessary to demonstrate the security problem. In any case, researcher shall not cause harm to Brussels Airport Company’s operations. Their approach must remain proportionate: once the vulnerability has been demonstrated on a small scale, no further action may be taken unless Brussels Airport Company asks to the researcher to deep dive its findings under its control and in controlled environment.

2.3 Actions that are not allowed

Below, researchers will find a non-exhaustive list of actions that are considered to be harmful, fraudulent or disproportionate and thus not allowed before and after the private disclosure. However, this list is not limited to the defined actions and only gives an overview of some of the most important prohibited actions.  

  • copy, modify or delete data from the ICT system.

  • modify the parameters of the ICT system.

  • Install malware: viruses, worms, Trojan horses, etc.

  • Perform DDOS (Distributed Denial of Service) attacks.

  • Social engineering attacks.

  • Phishing simulations.

  • Spamming.

  • password stealing or brute force attacks on passwords.

  • Install a device to intercept, store or retrieve (electronic) communications that are not accessible to the public.

  • the intentional interception, storage, or receipt of (electronic) communications that are not publicly accessible.

  • intentionally using, maintaining, transmitting, or distributing the content of non-public communications or data from an ICT system that the participant should have known was obtained unlawfully.

Any of the above action performed by a researcher shall give rise to civil and criminal liability.

Overall the researcher must also avoid exploiting its vulnerability even for proposing a proof of concept.

2.4 Confidentiality

Under no circumstances should researchers disclose or distribute any information collected under this policy to any third party without prior and express consent by Brussels Airport Company, without prejudice to any mandatory exception under applicable law.

It is also not permitted to disclose or distribute ICT data, communications data, or personal data to third parties nor publicly disclose found vulnerabilities without the consent of Brussels Airport Company, without prejudice to any mandatory exception under applicable law.

If Researchers seek the assistance of a third party to conduct their test, they must ensure that the third party is aware of this Policy in advance and agrees to abide by the terms of this Policy, including the confidentiality, when providing assistance.

2.5 Safe harbour clause

Brussels Airport Company will not pursue legal or criminal actions against any researcher who adheres strictly to these terms and conditions and who has not wilfully inflicted harm to Brussels Airport Company. The researcher must not engage in fraudulent activities, have any intention to cause damage, or possess any desire to exploit or harm the visited system or its data.

If researchers have any uncertainties regarding our policy's terms, they should initially reach out to our designated mailbox vulnerabilities@ictsecurity.brusselsairport.be and act in alignment with the written response they receive. Receiving no response from vulnerabilities@ictsecurity.brusselsairport.be does not mean a silent/tacit consent is given to any question asked in the mail correspondence.

2.6 Processing of personal data

A vulnerability disclosure policy is not intended to process personal data primarily and intentionally. Unless it is necessary to prove the existence of a vulnerability, Researchers shall not consult, retrieve, or store personal data.

However, Researchers may inadvertently gain access to personal data stored, processed, or transmitted in the ICT system concerned. It may also be necessary for the researcher to temporarily consult, retrieve or use personal data in the context of a vulnerability assessment. In this case, Researchers must inform Brussels Airport Company immediately at: vulnerabilities@ictsecurity.brusselsairport.be

Researchers, when processing personal data, will comply with the legal obligations relating to the protection of personal data and comply with the relevant items in this policy.

The processing of personal data for purposes other than the detection of vulnerabilities in BAC's systems, equipment or products is not permitted. Researchers undertake to limit the processing of personal data to what is necessary for the purpose of vulnerability scanning. 

Researchers shall not retain processed personal data for longer than is necessary. During this period, researchers shall ensure that this information is stored with a level of protection appropriate to the risks (i.e. encrypted). After the data has served its purpose according to this policy, it should be promptly and completely erased.

Finally, researchers must notify us of any loss, alteration, disclosure of or access to personal data as soon as possible after becoming aware of it.

3 Security vulnerability reports

3.1Point of contact

Researchers can share their discoveries by submitting the information via BAC’s bug bounty program and submit the findings on the designated platform. This platform allows for structured process of findings and offers additional incentives to researchers.

If the researchers are not capable of using the standard platform, discoveries can be shared using the following email address: vulnerabilities@ictsecurity.brusselsairport.be

3.2 Content

The disclosure from the researcher to Brussels Airport Company must be complete and self-supporting. It may not be cryptic or reveal only partially the nature of the vulnerability for creating some kind of blackmailing character to the disclosure.

The disclosure may not be conditional.

The disclosure may not contain threats or demands to receive monetary rewards for the research (however monetary rewards are not excluded by Brussels Airport Company).

The disclosure must give all elements so that Brussels Airport is able to reproduce the discovery of the vulnerability.

In exchange, Brussels Airport Company commits to provide to the researcher the full paternity/ownership of the disclosure and contribute to the scientific reputation of the researcher in the community unless the researcher has had a negative attitude/behaviour in the past.

This private disclosure policy will not serve to rehabilitate the researcher if the latter needs this.