Between

The public-law association with legal personality MAATSCHAPPIJ VOOR HET INTERCOMMUNAAL VERVOER - SOCIETE DES TRANSPORTS INTERCOMMUNAUX, with its registered office at 1000 Brussels, rue Royale 76 and with company number 0247.499.953, RPR Brussels, represented by Mr Brieuc de Meeûs, CEO (hereinafter ‘STIB-MIVB’);

and

Any natural person who commits to comply with this policy and intends to identify and/or confirm any IT related vulnerabilities for at least one of the targets in scope of this policy (Hereinafter “the Participant”)

Scope of the policy

In order to improve the performance and security of our networks and digital systems, we have adopted a coordinated vulnerability disclosure policy (CVDP). This policy gives the Participant the opportunity to search for potential vulnerabilities in STIB-MIVB owned systems, equipment and products with good intentions and to share any information they discover about a vulnerability.

Accessing our digital systems and equipment is however only permitted with the intention of improving STIB-MIVB overall security, the intend to inform STIB-MIVB of the existence of the vulnerabilities identified and in strict compliance with the conditions set out in this document.

The Participant is permitted to introduce or attempt to introduce computer data into our computer system and target STIB-MIVB assets by using industry recognised ethical hacking tools or personal written scripts given they align with the purposes and conditions set forth by this policy. If the Participant wishes to use the assistance of a third party to carry out his or her research, the Participant must ensure that the third party is aware of this policy, agrees to it and offer assistance to assure compliance to this policy. The Participant acknowledges that he/she remains at all times fully responsible for the actions (or lack thereof) of such third party. 

The policy considers the following to be included in scope:

• Internet facing systems, Application Programming Interfaces (API’s), services and websites and hosted by the STIB-MIVB
• STIB-MIVB mobile applications published on Google Play or Apple App Store
• Wire(less) networks of the STIB-MIVB which are available from a publicly accessible area
• STIB-MIVB hardware (Information Technology/Operational Technology) which is publicly accessible

Important: Our social media channels are to be considered out of scope for this policy as well as all other systems which are dependent on third parties, unless the third party explicitly agrees to these rules in advance.

Performing research on information systems which are not explicitly included by this policy could lead to legal prosecution against the Participant.

Mutual agreements

Knowledgeable

The Participant must be a natural person who shall possess the necessary skills, knowledge, expertise and experience to perform security testing of our systems aiming to identify, confirm and report vulnerabilities while remaining compliant with all applicable laws and regulations.

Proportionality

The Participant must strictly adhere to the principle of proportionality in all his/her activities, i.e. not to disrupt the availability of the services provided by the system and not to make use of the vulnerability beyond what is strictly necessary to demonstrate the security flaw. The approach must remain proportionate: if the vulnerability has been demonstrated on a small scale, no further action should be taken.

It shall not be the objective of the Participant to intentionally gather knowledge on the content of STIB-MIVB computer data, communication data, personal data or other relevant knowledge. Such knowledge shall only occur incidentally in the context of the search for vulnerabilities.

Actions which are not allowed

As a Participant you are not allowed to perform the below actions/attacks:

• Copying, altering or deleting data from the targeted system;
• Changing (system) parameters;
• Install malware: viruses, worms, Trojan horses, or any other malicious software;
• Social engineering;
• Phishing;
• Spamming;
• Stealing passwords or brute force attacks;
• Installing a device to intercept, store or read digital communications on places which are not accessible to the general public;
• Distributed Denial-of-Service (DDoS);
• Intentionally impact business operations;
• The intentional interception, storage or receipt of physical communications;
• The deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an Information Technology system where the Participant should reasonably have known it had been obtained unlawfully.

Confidentiality

The Participant is not permitted to reveal or share any information collected during his/her research with third parties without the prior and explicit written consent of the STIB-MIVB Corporate Information Security Officer (vulnerability@stib-mivb.brussels). This prohibition includes log files, evidence, computer data, communication data and personal data.

The Participant is expected to securely destroy all information after reporting the observations made to STIB-MIVB security team as per the process described in this document.

For confidentiality purposes the Participant is not allowed to store any information/data in the cloud during the time of his/her investigation unless it is encrypted in transfer and in rest.

Bona Fide

As STIB-MIVB we engage ourselves to implement this policy in good faith and we do not intend to take legal action, either civil or criminal, against a Participant given he/she aligns and complies with the purposes and conditions set forth by this policy.

The Participant must be free of fraudulent intent, intent to harm, intent to (ab)use or intent to cause damage to the targeted system or the data they contain.

If there is any doubt about any of the conditions of this policy, the Participant must first contact the STIB-MIVB Corporate Information Security Officer (vulnerability@stib-mivb.brussels) for written consent and/or clarifications before acting.

Processing personal data

The processing of personal data is broad in scope and includes the storage, alteration, retrieval, consultation, use or disclosure of any information that could relate to an identified or identifiable natural person. The "identifiable" character of the person does not depend on the judgement of the Participant, but on the possibility of identifying the person by means of these data, both directly and indirectly (for example: an e-mail address, identification number, reversable anonymised data, online identifier, Internet Protocol address, etc).

The Participant shall not intentionally process personal data, but it is possible that the Participant may have to process personal data, even incidentally, in the course of his or her vulnerability research. In the event of processing such data, the Participant must undertake any action necessary to comply with the legal obligations regarding the protection of personal data [1] and to process personal data only in accordance with the instructions of the STIB-MIVB and the terms of this policy, in particular:

• The Participant shall only process personal data exclusively for the purpose of investigating vulnerabilities in scope of this policy. Any processing of personal data for any other purpose is prohibited.
• The Participant limits the processing of personal data to the absolute minimum of what is necessary for the purpose to identify or confirm the vulnerability.
• The Participant shall ensure that any 3rd party involved shall respect the confidentiality or is subject to an appropriate legal obligation of confidentiality.
• The Participant shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (e.g. encryption).
• The Participant must be willing to assist the STIB-MIVB, to the extent possible, in the implementation of our obligations relating to the exercise of the rights of data subjects.
• The Participant shall inform the STIB-MIVB Data Protection Officer (dpo@stib-mivb.brussels) as soon as possible after becoming aware of any personal data.
• The Participant may not keep any personal data processed for longer than absolutely necessary. During this period, the Participant must ensure that this data is stored with a level of security appropriate to the risks involved (preferably encrypted).
• The Participant shall immediately delete any (personal)data he/she has after submitting the report and related evidence.
• The Participant will – to the best of his/her ability and in accordance with Article 30, § 2 of the General Data Protection Regulation (GDPR) - keep a register of the categories of processing activities carried out on behalf of the STIB-MIVB, including a description of the security measures implemented by the Participant.

The Participant acknowledges that he/she remains fully responsible if the third party he/she has engaged does not fulfil its data protection obligations. 

Should the Participant process personal data, stored and/or otherwise processed by our organisation, in a manner inconsistent with this policy or for purposes other than the investigation of potential vulnerabilities in our systems, the Participant acknowledges that he/she will be considered a data controller and will assume full responsibility for the processing thereof.

Reward & compensation

We will be sincerely grateful for your contribution in helping us to keep our digital infrastructure and system(s) secure. The STIB-MIVB however does not provide any type of compensation, nor in cash, nor through other compensation means when submitting a vulnerability report.

[1] Regulation (eu) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The different phases of the approach end-to-end

Phase 1: Discovery & identification

When the Participant becomes aware of information relating to a potential vulnerability, the Participant should, where possible, carry out prior checks to confirm the existence of the vulnerability, gather evidence and identify any risks involved.

Phase 2: Notification – submitting the vulnerability report

The Participant must share as soon as possible all technical information and evidence regarding the possible vulnerability/ies (see annex 1 for a template report) by e-mail at vulnerability@stib-mivb.brussels.

If you require to transfer large files you can submit the report indicating you would like to upload/share larger files so a solution can be found. Please mention the total size of the file(s) you would like to share.

Only messages which fall within the scope of the expected will be acknowledged. Such acknowledgement could contain an internal reference and or a reminder of the main obligations of the coordinated vulnerability disclosure policy as well as the next steps.

Phase 3: Communication

Both the Participant and the STIB-MIVB will constructively collaborate to the best of their abilities to ensure continuous and effective communication which might be needed to correctly identify, replicate and/or address the vulnerability.

Phase 4: Investigation

The investigation phase will allow the STIB-MIVB to replicate the environment and behaviour in order to verify the information submitted within the vulnerability report. During this phase, the STIB-MIVB will also analyse if similar systems could be affected.

Phase 5: Development of a solution

Once the vulnerability and impacted systems have been identified, the main objective is to remediate the vulnerability before damage can be done. During this phase the STIB-MIVB will roll-out and/or implement a constructive and durable solution to address the vulnerability identified while safeguarding the proper functioning of other existing functionalities.

Possible public disclosure

The STIB-MIVB will decide – keeping in mind the position and arguments provided by the Participant – on the possibility to eventually disclose the identified vulnerability/ies to the public. If the decision is in favour for public disclosure, the publication will be coordinated by the communications department of the STIB-MIVB.

The Participant is reminded that he/she is not permitted to reveal or share any information without the prior and explicit written consent of the STIB-MIVB Corporate Information Security Officer (vulnerability@stib-mivb.brussels). This prohibition includes log files, evidence, computer data, communication data and personal data as well as any result or outcome originating from one of the above-described phases.

Applicable law

Belgian law is applicable to any disputes arising.

Duration & applicability

This policy is applicable as its publication on the website until it is modified or deleted by the STIB-MIVB. Changes or deletions will be published on our website and will apply automatically.

Whistleblowing procedure