The organization appreciates when a reporter responsibly shares a suspected vulnerability. Reports are submitted via  servicedesk@i4-you.com. The reporter uses only the minimum necessary actions to demonstrate the vulnerability and leaves systems in their original state. The finding is not shared with third parties until the problem is fixed. Physical security attacks, social engineering, (D)DoS, spam and testing on third-party applications or infrastructure not managed by us are excluded.

The organization acknowledges receipt within three business days with an initial assessment and, if possible, an expected next step. During the processing, Support & Service keeps the reporter informed as long as this is justified from a security and privacy perspective. After resolution, in consultation, the name of the reporter can be mentioned. The organization will not take legal action against reporters who demonstrably comply with this policy and cause no harm.

The organization does not authorize violations of laws or regulations. Investigators will not cause disruption of services, take knowledge of more data than strictly necessary, modify or delete data, or attempt to access accounts or systems of others. Expenses incurred by the reporter in connection with investigations or communications will not be reimbursed by the organization. The organization will not be liable for indirect damages resulting from investigations conducted outside the scope of this policy.