Responsible Disclosure
Executive summary
- This policy applies to the public engineering site published on raenbi.com and to the public contact-submission route that the site uses when that route is enabled for the deployment.
- If you act in good faith and remain within this policy, RAENBI treats your activity as authorised security testing for the purpose of its own civil and complaint posture.
- This policy does not override Belgian criminal law. Activity that exceeds the policy may still fall under Article 550bis of the Belgian Penal Code.
- The verified public reporting channel for raenbi.com is the contact page or contact@raenbi.com. Use the subject prefix
[CVD]so the message can be routed correctly.
Why this policy exists
raenbi.com is RAENBI's public engineering site. Its attack surface is intentionally narrow: public content pages, a consent-management interface, optional analytics activation, and a contact route. Even with that limited footprint, a real security or privacy defect can affect visitors, correspondents, or the integrity of the public site.
This policy gives researchers a clear route to report a vulnerability without guesswork and gives RAENBI a concrete operational framework for triage, remediation, and coordinated public communication. The process is informed by ISO/IEC 29147:2018, ISO/IEC 30111:2019, FIRST coordinated vulnerability disclosure guidance, and the public framework of the Centre for Cybersecurity Belgium.
Scope
In scope:
- the public raenbi.com pages and the engineering content served from them
- the consent-management surface visible on raenbi.com, including the cookie banner and the preferences dialog
- the contact route exposed for raenbi.com, including the public submission endpoint used by the site when configured for that deployment
Out of scope:
- pm.raenbi.com, kb.raenbi.com, hub.raenbi.com, staff workstations, internal tools, source-control hosting, and CI/CD systems
- third-party platforms reached from raenbi.com but operated by other parties, including analytics providers, hosting platforms, CDN edge infrastructure, and email providers
- denial-of-service, load-generation, brute-force, credential-stuffing, or volumetric testing
- phishing, vishing, SMS, physical-access, or social-engineering attacks against RAENBI personnel
- automated scanner output without a reproducible proof of concept
- hardening suggestions or best-practice observations that do not demonstrate exploitable impact
If you find something outside scope, you may still send it as informal security feedback through the contact page, but it is not covered by the safe-harbour commitments below.
Reporting route
- Prepare a concise report that includes the affected URL or component, the steps to reproduce, the observed impact, the date and time of testing, and the minimum proof of concept needed to confirm the issue.
- Send the report via the contact page or write to contact@raenbi.com, with the subject prefix
[CVD], for example[CVD] stored XSS on contact confirmation. - If the first message cannot safely include full details, send a short notice first, state that the report concerns a security issue, and ask RAENBI to continue through a safer exchange route.
- Stay reachable for follow-up questions during triage.
English is the operational default for security correspondence. If you prefer French, Dutch, or Romanian, state that clearly in your first message.
Triage targets
| Action | Operational target |
|---|---|
| Acknowledgement of receipt | within 2 working days |
| Initial severity review | within 5 working days |
| Status update during remediation | every 14 calendar days for material in-scope issues |
| Coordinated public disclosure | after remediation, at a timing agreed with the reporter where practical |
If remediation needs materially longer than 90 calendar days from acknowledgement, RAENBI will explain the delay and document the revised target internally.
Safe-harbour boundaries
RAENBI's safe-harbour position applies only where the reporter:
- acts in good faith and with the sole aim of reporting a security or privacy issue
- limits testing to the in-scope surfaces listed above
- stops once the issue is confirmed
- avoids unnecessary access to personal data, business data, or credentials
- does not degrade availability or reliability for other users
- does not retain, publish, or share exploit details before RAENBI has had a reasonable opportunity to remediate
Where those conditions are met, RAENBI's position is that it will not itself initiate civil action or file a complaint solely because of the testing activity that stayed within this policy.
That safe harbour is narrow. It does not pre-authorise mass scanning, weaponised exploitation, persistence, privilege escalation beyond what is strictly necessary to confirm the issue, or any conduct that would exceed the boundary of authorised testing. Belgian criminal law remains applicable, including Article 550bis of the Belgian Penal Code.
What RAENBI does and does not offer
RAENBI does not currently operate a paid bug-bounty programme.
For valid in-scope reports, RAENBI may provide:
- written acknowledgement of a valid report
- coordinated discussion of attribution wording if a public disclosure later occurs
This page does not promise a public hall of fame, a dedicated rewards programme, CVE handling, or a standing encrypted mailbox. If RAENBI later operationalises any of those items, this policy will be updated first.
Belgian legal context
This policy is drafted against the following Belgian framework:
- Article 550bis of the Belgian Penal Code, which remains the governing criminal-law baseline for unauthorised access to information systems
- Directive (EU) 2022/2555 (NIS 2) and its Belgian transposition by the Law of 26 April 2024, which form the Belgian cybersecurity-governance context
- the public coordinated-disclosure role of the Centre for Cybersecurity Belgium
- Directive (EU) 2019/1937 on the protection of whistleblowers and its Belgian transposition by the Law of 28 November 2022, which is a separate regime from this vulnerability-reporting policy
This page is not a self-classification statement under NIS 2 and is not, by itself, a whistleblowing channel under the Law of 28 November 2022.
Handling of personal data in your report
If you report a vulnerability, RAENBI will typically receive your email address, any name or handle you provide, the technical content of the report, and any follow-up correspondence needed to triage and remediate the issue.
RAENBI handles that information on the basis of Article 6(1)(f) of the GDPR, namely the legitimate interest in receiving, assessing, documenting, and resolving a security report on the public site, and in line with the Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. Do not include unnecessary personal data. If your proof contains third-party personal data, redact it where possible or flag it clearly so it can be handled with extra care.
The broader rules on personal-data handling, retention, and rights requests for raenbi.com are set out in the Privacy Policy.
Related policies
Review cycle
RAENBI reviews this policy after material changes to the public site's attack surface, reporting route, or the Belgian legal framework cited above, and at least once per year.