Responsible Disclosure

Have you discovered a vulnerability? Let us know.

At Pon Holdings B.V. and its subsidiaries, we consider the security of our systems, networks, and online services to be our top priority. We are convinced that good security is essential to maintain the trust that our clients, suppliers, and employees place in us. Despite the continuous effort we invest in optimizing our security, vulnerabilities may still exist.

If you have the skills to discover vulnerabilities in our systems, we ask you to report them to us as quickly as possible. This helps us improve our security and reliability. Our responsible disclosure policy is not an invitation to actively scan our corporate network in detail, as we already actively monitor our networks.

What this program is NOT intended for

Please note that this reporting channel is strictly for IT security vulnerabilities. It is not intended for:

  • Submitting complaints about Pon Holdings B.V. services or products.
  • Questions or complaints regarding the availability of our websites or services.
  • Reporting fraud or suspicions of fraud.
  • Reporting fake emails or phishing emails.
  • Reporting malware or viruses.

What you CAN report

We are looking for reports of severe vulnerabilities that have a demonstrably real impact on our security. Examples of qualifying vulnerabilities include:

  • Remote Code Execution (RCE)
  • Cross‑Site Scripting (XSS) vulnerabilities
  • Cross‑Site Request Forgery (CSRF) on sensitive actions
  • SQL Injection vulnerabilities
  • Flaws related to encryption
  • Unauthorized access to sensitive data

Non‑qualifying vulnerabilities

To ensure our security specialists can focus on critical issues, the following types of reports are explicitly excluded. Reports falling into these categories will be classified as informational/invalid and are not eligible for any reward:

  • Any report lacking a clear proof of concept demonstrating potential exploitation.
  • Reports based solely on output from automated tools (e.g., port scanners, AI generated reports).
  • Vulnerabilities found on sites of organizations that are no longer part of Pon Holdings B.V.
  • Email configuration issues such as missing or misconfigured SPF, DKIM, or DMARC records.
  • CSRF vulnerabilities on static or unauthenticated pages.
  • Missing HTTP Security Headers (e.g., HSTS, X‑Frame‑Options) or clickjacking, especially on non‑login pages.
  • Missing HttpOnly or Secure flags on non‑sensitive cookies.
  • Redirection from HTTP to HTTPS.
  • HTML missing charset or unrecognized charset.
  • Cached pages or HTTP Trace Method.
  • HTTPS response pages or user enumeration on websites where no sensitive data or transactions are present.
  • Potential presence of outdated server or application versions (banner grabbing) without concrete proof of exploitability.
  • Server fingerprinting or version disclosure of underlying technologies, frameworks, or software components without concrete proof of exploitability.
  • Reports of insecure SSL/TLS protocols, missing CAA records, or OSCP stapling issues without an exploitable scenario.
  • Generic vulnerabilities related to software or protocols not under the direct control of Pon.
  • Distributed Denial of Service (DDoS) attacks.
  • Rate limiting vulnerabilities.
  • Spam, social engineering, or physical security attacks.
  • EXIF metadata in images or default webpages with low impact.

The Rules of Engagement

During your research, you may perform actions that are strictly speaking illegal. However, if you act in good faith, carefully, and strictly adhere to the following rules, we will not take legal action against you.

  • Do not cause damage: ensure your research does not harm our systems.
  • No social engineering: do not use social engineering techniques against our employees or contractors to gain access.
  • No service disruption: your actions must never lead to the interruption or degradation of our services.
  • Data privacy: your research must never lead to the public disclosure of corporate, employee, or client data.
  • No backdoors: do not place backdoors in any system, not even to demonstrate the vulnerability. Placing a backdoor makes the system less secure.
  • Do not alter or delete data: do not make any configuration or system changes.
  • Copy only what is necessary: if you need to copy data to demonstrate a vulnerability, copy the absolute minimum required (e.g., 1 record). If one record is sufficient, do not go further.
  • Limit access: try to penetrate a system only as far as absolutely necessary. If you gain access, do not share it with others.
  • No brute‑forcing: do not use brute‑force techniques (repeatedly guessing passwords) to gain access.

How to Report

Report your discoveries as quickly as possible to [email protected]. If you wish to encrypt your report, please inform us in your email, and we will provide you with the necessary instructions.

To process your report efficiently, it must be clear and concise. Please include:

  • The exact steps you took.
  • The full URL or IP address of the affected system.
  • The specific objects involved (e.g., input fields, filters).
  • Concrete evidence / Proof of Concept demonstrating how to reproduce the issue (video or screenshots if possible).
  • An assessment of the risk or exploitability.
  • (Optional but encouraged) A proposed solution.

Rewards

We encourage everyone to report discovered vulnerabilities to us. If you are the first to report a qualifying vulnerability, and you keep the issue confidential until it is resolved, you may be eligible for a reward.

The reward depends on the severity of the problem, the type of system affected, and the quality of the report.

No reward will be given for reports of non‑qualifying vulnerabilities, reports lacking proof of exploitability, or if there is any sign of abuse. Multiple reports of the same vulnerability with minimal differences will be treated as one report.

To prevent the unnecessary handling of your personal data our rewards have the form of Amazon gift cards.

Please note that Pon reserves the sole right to determine reward eligibility. All decisions are final, and we do not engage in further discussion or correspondence regarding rewards once a submission has been reviewed.