Responsible disclosure program
Discover vulnerabilities on CM platforms? Report them for a reward.
CM focuses on digital security
CM focuses on maximum digital security by working with ethical hackers. In addition to internal tests, CM also allows controlled external tests via a responsible disclosure program, in which ethical hackers search for and report vulnerabilities under strict conditions.
How do we want to achieve this?
Proactively detect and address vulnerabilities.
- CM not only tests its systems internally, but also offers external ethical hackers the opportunity to detect vulnerabilities.
- This approach provides an additional layer of protection against cybercrime.
- Security breaches are detected faster, even before they become public knowledge, thus ensuring that members' privacy is better protected.
Clearly regulated through a responsible disclosure policy
- Reporters and ethical hackers are allowed to report security issues under strict conditions.
- Activities are carried out in consultation, according to fixed rules that guarantee that members' data remains protected.
- The policy is fully in accordance with Belgian law.
Recognition and encouragement for the community
- CM recognizes the value of ethical hackers, rewards them for valid reports and puts them in the spotlight through a Hall of Fame.
- This encourages broader involvement in digital security.
General agreements
Any natural person or legal entity can report the existence of a possible vulnerability. The report is made in writing, according to the procedure described below.
CM investigates and tests each report to determine whether a potential vulnerability actually exists or to investigate the methods used by the reporter.
CM guarantees the completeness, integrity, sustainable storage and confidentiality of all information that is transferred via the report. The identity of the reporter is also protected, provided that this is explicitly requested. The reporter will only be included in the Hall of Fame if he or she has given explicit permission for this.
Persons who report according to the correct procedure do not have to fear legal consequences. Actions that are necessary to be able to make the report are not considered punishable, as long as the reporter complies with the following conditions:
- The reporter acted without fraudulent intent or the intention to cause harm.
- The reporter has informed the organization responsible for the system, process or control as soon as possible about the discovery of a possible vulnerability.
- The reporter did not go beyond what was necessary and proportionate to verify the existence of a vulnerability.
- The reporter did not disclose information about the discovered vulnerability without CM's permission.
- The reporter did not keep copies of data after the report was made.
A reporter who obtains certain information in the context of his or her work and shares this information in a report cannot be held liable for breaching professional confidentiality and cannot be held liable for sharing the information, as long as it is strictly necessary to (correctly) report the vulnerability to CM.
Scope
- https://www.cm.be/nl/toepassing/cm-gezondheidsacademie
- https://www.mc.be/fr/services-en-ligne/souscrire-assurance
- https://www.ckk-mc.be/online-dienste/versicherung-abschliessen
- https://www.cm.be/nl/toepassing/zoek-een-zorgverlener-je-buurt
- https://www.mc.be/fr/services-en-ligne/rechercher-prestataire
- https://www.ckk-mc.be/online-dienste/leistungserbringer
- https://www.cm.be/nl/toepassing/online-aangifte-ziekenhuisopname
- https://www.mc.be/fr/services-en-ligne/demande-intervention-hospitalisation
- https://www.ckk-mc.be/online-dienste/antrag-erstattung-krankenhausrechnung
- https://www.cm.be/nl/contact/contactformulier
- https://www.mc.be/fr/contact/formulaire
- https://www.ckk-mc.be/kontakt/formular
- https://www.cm.be/nl/contact/cm-in-je-buurt
- https://www.mc.be/fr/services-en-ligne/points-de-contact
- https://www.ckk-mc.be/online-dienste/kontaktpunkte
- https://www.cm.be/dimona
- https://www.mc.be/fr/services-en-ligne/dimona
- https://www.ckk-mc.be/online-dienste/dimona
- https://www.cm.be/nl/toepassing/ezvk-aanvragen
- https://www.mc.be/fr/services-en-ligne/commander-ceam
- https://www.ckk-mc.be/online-dienste/ekvk-beantragen
- https://www.cm.be/jongeren
- https://www.cm.be/nl/toepassing/toestemming-verwerking-medische-gegevens
- https://www.mc.be/fr/services-en-ligne/consentement-gdpr
- https://www.ckk-mc.be/online-dienste/einverstaendiserklaerung-gdpr
- https://www.cm.be/nl/doccle-documenten-raadplegen
- https://www.mc.be/fr/services-en-ligne/doccle
- https://www.ckk-mc.be/online-dienste/doccle
- https://www.cm.be/nl/toepassing/gele-klevers
- https://www.mc.be/fr/services-en-ligne/commander-vignettes
- https://www.ckk-mc.be/online-dienste/aufkleber-bestellen
- https://www.cm.be/nl/toepassing/welke-verzekering-past-bij-jou
- https://www.cm.be/nl/aanvraag-verzekeringsvoorstel
- https://www.cm.be/nl/toepassing/berekenen-je-premie
- https://www.cm.be/nl/jobs/vacaturelijst
- https://www.mc.be/fr/jobs/offres-emploi
- https://www.cm.be/nl/jobs/vacaturelijst/vacaturedetail
- https://www.mc.be/fr/jobs/offres-emploi/detail-offre
- https://www.cm.be/nl/jobs/alerts-beheer
- https://www.cm.be/nl/toepassing/berekenen-zelf-je-terugbetaling
- https://www.mc.be/fr/services-en-ligne/tarifs-officiels-remboursements
- https://www.ckk-mc.be/online-dienste/honorare-rueckerstattungen
- https://www.cm.be/nl/toepassing/vergelijking-ziekenhuistarieven
- https://www.mc.be/fr/services-en-ligne/prix-hopitaux-belgique
- https://www.ckk-mc.be/online-dienste/krankenhaus-kosten-belgien
- https://www.cm.be/nl/toepassing/aanmelden-op-mijn-cm
- https://www.mc.be/fr/services-en-ligne/connexion-ma-mc
- https://www.ckk-mc.be/online-dienste/sso-onboarding
- https://www.ckk-mc.be/online-dienste/meine-ckk
- https://www.cm.be/nl/lid-worden/je-bent-aangesloten-bij-een-ander-ziekenfonds
- https://www.mc.be/fr/services-en-ligne/affiliation-autre-mutualite
- https://www.ckk-mc.be/online-dienste/einschreibung-andere-krankenkasse
- https://www.cm.be/nl/toepassing/communicatievoorkeuren-beheeren
- https://www.mc.be/fr/services-en-ligne/preferences-de-communication
- https://www.ckk-mc.be/online-dienste/kommunikationspraeferenzen
- https://www.cm.be/nl/toepassing/wat-kost-orthodontie
- https://www.cm.be/nl/toepassing/mijn-cm-verzekeringen
- https://www.mc.be/fr/services-en-ligne/apercu-assurances
- https://www.ckk-mc.be/online-dienste/uebersicht-versicherungen
- https://www.cm.be/nl/domiciliering-zorgpremie-aanvragen
- All vulnerabilities described by the OWASP ASVS.
- Vulnerabilities that lead to personal data leaks.
- Bruteforcing as long as a maximum of 5 requests are sent per second.
- Disruptive or destructive attacks (D/DOS, ...)
- Phishing attacks
- Physical attacks (burglary, bypassing physical access control, ...)
- API key disclosure without proven business impact
- Self-XSS
- Verbose messages/files/directory listings with no proven impact
- CORS misconfiguration
- Missing cookie flags except session related cookie flags
- Missing security headers
- Cross-site request forgery with no proven impact
- Autocomplete attributes on webforms
- Best practice violations (password complexity, expiration, re-use, etc.)
- Clickjacking
- Email spoofing, SPF, DMARC or DKIM
- Email bombing
- HTTP request smuggling with no proven impact
- Banner grabbing/version disclosure
- Open gates without proven impact
- Weak SSL configurations and SSL/TLS scan reports
- Disclosing API keys without proven impact
- Same-site scripting
- Arbitrary file upload with no proven impact
- Blind SSRF without proven business impact
- Cookie information disclosure without proven impact
- HTML injection with no proven impact
Report
Contact responsible.disclosure@cm.be with the information needed to reproduce the vulnerability and the location where you found the vulnerability (url, domain, webpage). Our security team will send you an invitation to discuss the details further.
CM will respond to you within 5 business days of reporting a vulnerability and will triage as soon as possible. The vulnerability will then be monitored daily until it is mitigated and retested.
Reward
- All risks are calculated using the latest version of the CVSS calculator. The reward is calculated based on the risk and awarded after the vulnerability is mitigated. Rewards and risk calculation can be adjusted by CM.
- Rewards will be paid out after the patch for the vulnerability is validated by the reporter.
- A reward for a vulnerability only applies if the vulnerability has not been previously reported.
- Any person who discovers a vulnerability also has the right to be inducted into the Hall of Fame.
- Employees or ex-employees (external or internal) who have worked for CM-MC or for CM-MC suppliers in the last year are not eligible for rewards.
Payment to natural persons
Remuneration paid to individuals is paid as net amounts .
After triage and selection of a validated report, CM contacts the reporter and requests the necessary data for further processing of the reward (after patching and retesting). CM then also draws up a tax form and sends it to the reporter.
Payment to legal entities
Legal entities can send an invoice to the email address specified in the reporting procedure after confirmation of a valid report.
| First name | Family name | Nickname | critical | high | medium |
|---|---|---|---|---|---|
| Robbe | Willow | GrumpinouT | 0 | 0 | 2 |
| Yunish | Shrestha | Ystha | 0 | 1 | 0 |
|
|
| |||
| You will only be included in the Hall of Fame if you give your explicit consent. You can withdraw this consent at any time. | |||||