Coordinated Vulnerability Disclosure
At Luméro we take the security of our systems seriously. Think you have found a vulnerability? Please report it via security@lumero.nl so we can resolve it together before others can abuse it.
This Coordinated Vulnerability Disclosure (CVD) policy – also known as responsible disclosure – explains how to safely report a vulnerability you have found in our systems, and what you can expect from us in return.
1. What we ask of you
- Report your finding as soon as possible via security@lumero.nl, with enough information to reproduce the problem. Usually the URL or IP address of the affected system and a description are sufficient; complex vulnerabilities may require a proof of concept.
- Do not exploit the problem further than is necessary to demonstrate the vulnerability. Do not download more data than needed and do not alter or delete any data.
- Do not access, modify, or delete third-party data, and do not cause damage to our systems or those of others.
- Do not share the problem with others until it has been resolved, and erase any confidential data obtained through the vulnerability immediately after the issue is fixed.
- Do not use denial-of-service (DoS/DDoS), spam, social engineering (including phishing), attacks on physical security, malware, high-volume automated scanning, or attacks on third-party applications.
This is not an invitation to actively and extensively scan our systems or network for vulnerabilities. We monitor our own environment, so a scan is likely to be detected and may trigger unnecessary investigation.
2. What you can expect from us
- We will acknowledge your report within 5 business days, with an initial assessment and an estimate of when we expect to have a resolution.
- We will treat your report confidentially and will not share your personal data with third parties without your consent, unless we are legally required to do so.
- We will keep you informed of our progress in resolving the problem.
- We will resolve the vulnerability within a reasonable period and will agree the timing of any public disclosure with you (coordinated disclosure).
- If you wish, we will credit you by name as the discoverer of the vulnerability.
- We do not offer a monetary reward for reports. Our gratitude is genuine, and we are happy to acknowledge your contribution by name.
Safe harbour: If you comply with the conditions of this policy and act in good faith, we consider your report lawful and will not take legal action against you in connection with it. We cannot, however, guarantee that third parties will refrain from doing so, nor can we waive the discretion of the Public Prosecution Service.
3. Disclosure timeline
We aim to resolve vulnerabilities within 90 days of your report. We agree the timing of publication with you; ordinarily we only disclose a vulnerability after it has been fixed.
4. Scope
This policy applies to Luméro's public website and email infrastructure: lumero.nl and its subdomains, and email (security@lumero.nl and the lumero.nl mail domain).
Out of scope includes, among others:
- Third-party services and platforms we rely on (such as our hosting, DNS, and email providers). Please report vulnerabilities in those directly to the relevant party.
- Findings with little or no demonstrable impact, such as missing best-practice headers without a demonstrated exploit, missing rate-limiting, self-XSS, clickjacking on static pages, and automated-scanner output without a working proof of concept.
5. Anonymous or pseudonymous reporting
You may report anonymously or under a pseudonym. Please note that in that case we cannot keep you informed of progress, cannot ask follow-up questions, and cannot credit you by name.
6. If we disagree
If we are unable to reach agreement on how the report is handled or on the timing of disclosure, either you or we may involve an independent third party to mediate. In the Netherlands, the National Cyber Security Centre (NCSC) can be engaged for this purpose. The final assessment of whether something is a vulnerability remains with Luméro as the system owner.
7. How we handle your data
We process the personal data in your report (such as name, contact details, and the content of the report) on the basis of our legitimate interest (GDPR art. 6(1)(f)) to assess and remediate vulnerabilities. See our privacy statement for more information.
8. Machine-readable policy (security.txt)
Our security contact details are also available in machine-readable form per RFC 9116: /.well-known/security.txt.
Last updated: June 2026
