Privacy Request Back to vaicat
📅 Effective: December 28, 2025 🔒 Security Research

Security & Responsible Disclosure Policy

Guidelines for reporting security vulnerabilities, our safe harbor commitments, and security practices.

🛡
Safe Harbor: Security researchers who act in good faith and follow this policy are protected from legal action by vaicat for their research activities.
Key Points
  • Report vulnerabilities to security@vaicat.com
  • We acknowledge reports within 5 business days
  • Safe harbor protection for good-faith research
  • 90-day remediation target for confirmed vulnerabilities
Contents

1. Reporting Vulnerabilities

1.1 How to Report

If you discover a security vulnerability, please report it to:

📧
Security Reports
security@vaicat.com

1.2 What to Include

Please provide:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any proof-of-concept code (if applicable)
  • Your contact information for follow-up

1.3 Response Timeline

Stage Timeline
Initial acknowledgment Within 5 business days
Initial assessment Within 10 business days
Remediation target Within 90 days for confirmed vulnerabilities

1.4 Priority Handling

We prioritize vulnerabilities affecting:

  • Authentication and authorization systems
  • Personal data protection
  • Payment processing
  • Core infrastructure security

2. Safe Harbor Protection

2.1 Our Commitment

We extend legal protection to security researchers who:

  • Act in good faith to identify and report vulnerabilities
  • Avoid privacy violations or data access beyond necessity
  • Do not disrupt service availability
  • Follow the guidelines in this policy
  • Allow reasonable time for remediation before disclosure

2.2 What Safe Harbor Covers

For qualifying research, we will not:

  • Pursue civil claims against you
  • Refer your activities to law enforcement
  • Take adverse action against your account

2.3 Limitations

Note: We cannot bind third parties or government authorities. Our safe harbor applies only to vaicat's own legal actions.

3. Scope

3.1 In-Scope Systems

  • vaicat.com and vaic.at websites
  • Official mobile applications (mEUvy, EUorigin, priVIT, EUnify)
  • Public APIs and endpoints
  • Authentication and authorization systems
  • Data protection and privacy controls

3.2 Out of Scope

The following are excluded from this program:

  • Social engineering attacks against employees or users
  • Denial of Service (DoS/DDoS) attacks
  • Physical security testing
  • Automated scanning that degrades performance
  • Third-party services and infrastructure
  • Vulnerabilities in outdated software versions

4. Disclosure Timeline

4.1 Coordinated Disclosure

We ask researchers to:

  • Allow reasonable time for remediation before public disclosure
  • Coordinate disclosure timing with our security team
  • Avoid sharing vulnerability details with third parties during remediation

4.2 Our Target

We generally target remediation within 90 days for confirmed vulnerabilities. Critical issues affecting authentication or data protection receive expedited handling.

4.3 Public Acknowledgment

With your consent, we may publicly acknowledge your contribution to improving our security. We do not currently operate a paid bug bounty program.

5. Prohibited Actions

The following actions fall outside safe harbor protection:

Action Reason
Extortion or threats Demanding payment under threat of disclosure
Data exfiltration Accessing or downloading more data than necessary
Service disruption DoS attacks or actions affecting availability
Unauthorized access Accessing accounts or data of other users
Social engineering Phishing or manipulating employees/users
Premature disclosure Public disclosure before coordinated timeline

6. Our Security Practices

6.1 Technical Measures

  • Encryption: TLS/HTTPS for all data in transit
  • Access Controls: Role-based access with least privilege
  • Authentication: Strong password requirements, optional 2FA
  • Monitoring: Security event logging and alerting
  • Backups: Regular encrypted backups

6.2 Organizational Measures

  • Training: Security awareness for all employees
  • Incident Response: Documented procedures for security events
  • Vendor Management: Security requirements for third parties
  • Regular Assessment: Periodic security reviews

6.3 User Responsibilities

To help protect your account:

  • Use strong, unique passwords
  • Enable two-factor authentication where available
  • Keep your devices and software updated
  • Report suspicious activity immediately
  • Never share your login credentials

7. Data Breach Notification

In compliance with GDPR Articles 33-34, we maintain documented procedures for detecting, assessing, and responding to personal data breaches.

7.1 What Constitutes a Breach

A personal data breach is any security incident leading to:

  • Unauthorized access to personal data
  • Unauthorized disclosure of personal data
  • Loss or destruction of personal data
  • Alteration of personal data without authorization

7.2 Internal Response Procedure

Phase Actions Timeline
Detection Identify and confirm the incident; contain ongoing breach Immediate
Assessment Evaluate scope, data affected, risk to individuals Within 24 hours
Authority Notification Report to supervisory authority if required Within 72 hours
User Notification Notify affected individuals if high risk Without undue delay
Documentation Record all breach details and response actions Ongoing
Review Post-incident analysis and process improvement Within 30 days

7.3 Supervisory Authority Notification

We notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of a breach that:

  • Is likely to result in a risk to individuals' rights and freedoms
  • Involves sensitive personal data
  • Affects a significant number of individuals
  • Involves data that could lead to identity theft or fraud

Notification includes: nature of breach, categories and number of individuals affected, likely consequences, and measures taken.

7.4 User Notification

We notify affected individuals without undue delay when a breach is likely to result in a high risk to their rights and freedoms. This includes situations where:

  • Financial data may be compromised
  • Identity documents or credentials are exposed
  • Sensitive personal data is affected
  • The breach could lead to discrimination, reputational damage, or other significant harm

7.5 Notification Content

When we notify you of a breach, we will provide:

  • Description of what happened
  • Types of data involved
  • Likely consequences
  • Steps we've taken to address the breach
  • Steps you can take to protect yourself
  • Contact information for questions

7.6 Documentation

We maintain records of all personal data breaches, including:

  • Facts relating to the breach
  • Effects and consequences
  • Remedial actions taken
  • Reasoning for decisions made

These records are available to supervisory authorities upon request.

7.7 Reporting a Suspected Breach

If you believe your data may have been compromised or you notice suspicious activity:

  • Email: security@vaicat.com
  • Subject: "Suspected Data Breach"
  • Include any relevant details about what you observed

8. Bug Bounty Program

vaicat does not currently operate a paid bug bounty program.

We offer:

  • Public acknowledgment (with consent)
  • Safe harbor protection
  • Gratitude for helping improve security
Security Contact
Security Reports security@vaicat.com
General Support support@vaicat.com
Response Time 5 business days acknowledgment