Coordinated Vulnerability Disclosure Policy

This policy applies to the identification and reporting of security vulnerabilities that could be exploited by third parties or disrupt the proper functioning of the Organization’s products, services, networks, or information systems.

The participant is permitted to search for potential vulnerabilities in the Organization’s systems, equipment, and products with good intentions, and to introduce or attempt to introduce computer data into the Organization’s computer system, subject to the purposes and conditions set out in this policy.

 2.1  In-Scope Systems

The following systems, products, and services are within the scope of this policy:

• • All publicly accessible web applications and websites operated by The Collective Consulting BV
  • Public-facing APIs and web services
  • Client-facing portals and platforms
  • Public cloud-hosted services and infrastructure managed by the Organization

Note: The specific URLs and system identifiers covered by this policy are maintained in a separate annex and published on the Organization’s website.

2.2  Out-of-Scope Systems

The following are explicitly excluded from the scope of this policy:

• • Systems, networks, or infrastructure belonging to or operated by third parties, unless that third party has explicitly agreed to these rules in advance
  • Physical security testing (e.g., office access, hardware tampering)
  • Social engineering attacks targeting employees, contractors, or partners
  • Third-party SaaS platforms used by the Organization (e.g., Microsoft 365, Google Workspace) unless explicitly listed as in-scope
  • Systems of the Organization’s clients, unless a separate agreement is in place

Important: Research on information systems not explicitly included in the scope of this policy may lead to legal proceedings against the participant.

3.1  Proportionality

The participant undertakes to strictly comply with the principle of proportionality in all activities conducted under this policy. This means:

• • Not disrupting the availability of services provided by the Organization’s systems
  • Not exploiting the vulnerability beyond what is strictly necessary to demonstrate the security flaw
  • Using the least intrusive method available to confirm the vulnerability
  • Ceasing further testing once the security problem has been demonstrated, even on a small scale

The objective of this policy is not to allow intentional access to the content of computer data, communication data, or personal data. Any such access shall only occur incidentally in the context of vulnerability research.

3.2  Prohibited Actions

Participants are expressly prohibited from taking the following actions:

• • Copying, altering, or deleting data from any IT system
  • Modifying IT system parameters or configurations
  • Installing malware, including but not limited to viruses, worms, Trojan horses, ransomware, or backdoors
  • Conducting Distributed Denial of Service (DDoS) attacks
  • Conducting social engineering or phishing attacks against the Organization’s personnel
  • Spamming or sending unsolicited communications
  • Performing password theft or brute force attacks
  • Installing any device or software to intercept, store, or monitor electronic communications not accessible to the public
  • Intentionally intercepting, storing, or accessing non-public communications
  • Using, maintaining, communicating, or distributing the content of non-public communications or data from an IT system where the participant should reasonably have known it was obtained unlawfully
  • Any action that could compromise the confidentiality, integrity, or availability of the Organization’s systems or data beyond what is strictly necessary for vulnerability research

If the participant wishes to use the assistance of a third party, the participant must ensure that the third party is aware of this policy and agrees to abide by all its terms.

3.3  Confidentiality

The participant must strictly refrain from sharing or disclosing any information collected under this policy with third parties without the Organization’s prior and explicit written consent.

It is not permitted to reveal or disclose computer data, communication data, or personal data to third parties.

In the event that the vulnerability may also affect other Organizations in Belgium, the participant or the Organization may inform the Centre for Cybersecurity Belgium (CCB) following the procedures outline on the following page: https://ccb.belgium.be/cert/vulnerability-reporting-ccb

3.4  Good Faith (Bona Fide) Execution

The Organization undertakes to implement this policy in good faith and not to take legal action, either civil or criminal, against a participant who complies with all conditions set out herein.

The participant must be free of:

• • Fraudulent intent
  • Intent to harm
  • Intent to use or exploit the vulnerability for personal gain
  • Intent to cause damage to the visited system or its data

This requirement applies equally to third-party systems located in Belgium or abroad.

If there is any doubt about any of the conditions of this policy, the participant must first contact the Organization’s security contact point and obtain written consent before acting.

3.5  Processing of Personal Data

The purpose of this CVDP is not to intentionally process personal data. However, it is possible that the participant may process personal data, even incidentally, during vulnerability research.

In the event of processing personal data, the participant undertakes to comply with the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and all applicable Belgian data protection legislation, and in particular:

• • Process personal data only in accordance with the instructions described in this policy and exclusively for the purpose of investigating vulnerabilities
  • Limit the processing of personal data to what is strictly necessary for vulnerability research (data minimisation)
  • Ensure that any persons assisting in the research undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality
  • Implement appropriate technical and Organizational measures to ensure a level of security appropriate to the risk (e.g., encryption of stored data)
  • Inform the Organization of any personal data breach as soon as possible after becoming aware of it
  • Not retain any personal data longer than necessary; all personal data must be securely deleted at the end of participation
  • Maintain a register of processing activities carried out under this policy, in accordance with Article 30(2) of the GDPR

Should the participant process personal data inconsistently with this policy or for purposes other than vulnerability research, the participant acknowledges that they will be considered a data controller and will assume full responsibility for such processing.

3.6  Recognition – Hall of Fame

The Organization values the contributions of security researchers who help improve the security of its systems. Participants who report valid vulnerabilities in compliance with this policy may be acknowledged in the Organization’s Security Hall of Fame, subject to the following conditions:

• • The vulnerability is confirmed as valid and within scope
  • The participant has fully complied with all terms of this policy
  • The participant consents to being named (alternatively, anonymous recognition is possible)

The Organization may offer monetary rewards under this policy. Recognition and the decision to do so, however, is at the Organization’s sole discretion.

4.1  Point of Contact

Vulnerability reports should be sent to the following dedicated security email address:

info@thecollective.eu

In the absence of a response from the Organization within a reasonable time, participants may contact the Centre for Cybersecurity Belgium (CCB) which can then act as coordinator.

4.2  Information to Communicate

As soon as possible after the discovery, please send us information on your findings using the vulnerability report form in Annex I of this policy. At a minimum, please provide:

• • Your contact details (name, email address)
  • A detailed description of the vulnerability, including the type and potential impact
  • Steps to reproduce the vulnerability
  • The IP address(es) or URL(s) of the affected system(s)
  • Configuration details, operating system, and tools used
  • Dates and times of testing
  • Any evidence such as screenshots, logs, or proof-of-concept code
  • If personal data was accessed: the types of data and categories of data subjects

The Collective Consulting securely stores your data within Microsoft’s datacenter in the European Union. Appropriate security measures are in place to ensure the security

5.1  Discovery

Where a participant becomes aware of information relating to a potential vulnerability, the participant should, where possible, carry out prior checks to confirm the existence of the vulnerability and identify any risks involved, while respecting the proportionality principle.

5.2  Notification

The participant shall notify the Organization of the potential vulnerability as soon as possible, using the contact point and secure communication means specified in Section 4.1.

Upon receipt of a notification, the Organization shall:

• • Send an acknowledgement of receipt as soon as possible, and in any case within 5 business days
  • Provide an internal reference number for tracking
  • Remind the participant of the main obligations under this CVDP
  • Communicate the next steps of the procedure

5.3  Communication

Both parties undertake to make every effort to ensure continuous and effective communication throughout the process. The Organization will provide regular updates on the status of the investigation and remediation efforts.

In the absence of a response from either party beyond a reasonable time, the parties may call upon the Centre for Cybersecurity Belgium (CCB) at vulnerabilityreport@cert.be as coordinator.

5.4  Investigation

The Organization will investigate the reported vulnerability by attempting to replicate the environment and behaviour described. During this phase:

• • The Organization will assess the risk and severity of the vulnerability (using industry-standard frameworks such as CVSS where appropriate)
  • The Organization will identify any other affected products or systems
  • The Organization will link the report with any similar or related reports
  • The participant will be kept informed of investigation progress on a regular basis

This aligns with ISO 27001:2022 Annex A control 8.8, which requires systematic identification, prioritisation, and remediation of technical vulnerabilities.

5.5  Development of a Solution

The objective of this policy is to enable the development of a solution to remediate the vulnerability before any damage is done. The Organization will:

• • Develop and test a remediation within 90 calendar days of confirming the vulnerability, taking into account the state of knowledge, implementation costs, severity of risks, and technical constraints
  • Conduct positive tests to verify that the solution works correctly
  • Conduct negative tests to ensure the solution does not disrupt existing functionalities
  • Apply change management procedures in accordance with the Organization’s ISMS and ISO 27001:2022 Annex A control 8.32

If remediation cannot be completed within 90 days, the Organization will inform the participant of the expected timeline and the reasons for the delay.

5.6  Public Disclosure

The Organization will decide, in coordination with the participant, on the modalities of any public disclosure of the vulnerability. Public disclosure should:

• • Take place at the earliest possible time, together with the deployment of a solution
  • Include the distribution of a security notice to affected users
  • Not occur before a remediation or mitigation is available, unless there is an imminent threat to public safety

In the event that the vulnerability also affects other Organizations, the Organization will inform the CCB in all cases, even if it does not wish the vulnerability to be disclosed publicly.

The Organization is also committed to collecting user feedback on the deployed solution and taking necessary corrective measures.

of your information. To this point, The Collective Consulting has an extensive Information Security Management System (ISMS) and is ISO27001:2013 certified.

This CVDP forms an integral part of the Organization’s Information Security Management System (ISMS) and supports compliance with the following ISO 27001:2022 Annex A controls:

Belgian law is applicable to any disputes arising from the application of this policy.

The Centre for Cybersecurity Belgium (CCB) may act as an intermediary in an attempt to reconcile the Organization and the participant for problems related to the application of this policy.

The Organization recalls that, under current Belgian law, any natural or legal person may search for and report potential vulnerabilities in networks and information systems located in Belgium, provided they comply with the conditions set forth in the applicable legislation. Participants who comply with this policy and with the applicable legal requirements benefit from the legal protections established by Belgian law.

Important: If vulnerability research is carried out on networks or information systems located in whole or in part outside Belgian territory, the Belgian legal framework will only protect the researcher in Belgium and not in other jurisdictions. Participants are advised to verify the legal framework of any other jurisdiction that may be affected.

This policy is effective from 01/01/2026 and remains in force until modified or withdrawn by the Organization.

Any modifications or deletions to this policy will be published on the Organization’s website and will apply automatically after a period of 30 calendar days following their publication.

The Organization will review this policy at least annually as part of its ISMS review process, in accordance with ISO 27001:2022 requirements.