Policy for coordinated disclosure of vulnerabilities

Scope of policy application

Due to a desire to improve the performance capacity and security of our network and information systems, the Jan Yperman Hospital has decided to implement an ethical vulnerability disclosure policy (also known as a responsible disclosure policy). Participants with good intentions may therefore identify possible vulnerabilities in the Jan Yperman Hospital’s systems, equipment and products or provide us with any information discovered about a vulnerability.

Our policy relates to security vulnerabilities that can be exploited by third parties or interfere with the proper functioning of our products, services, network or information systems.

Participants are also authorized to enter or attempt to enter IT data into our IT system, taking into account the purposes and conditions of this policy.

List of products, services or websites within the scope of this policy:

Systems that rely on third parties fall outside the scope of this policy, except in those cases in which these third parties explicitly agree to these rules in advance.

Questions related to the scope of this policy can be sent to security@yperman.net.

Mutual obligations of parties

Proportionality

Participants undertake to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to exploit vulnerabilities beyond what is strictly necessary to demonstrate a security issue. Their approach must remain proportionate: if the security issue has been demonstrated on a small scale, no further action should be taken.

Our policy is not intended to allow the deliberate disclosure of the content of IT data, communication data or personal data, and such disclosure may only occur by accident in the context of the detection of vulnerabilities.

Prohibited actions

Participants are not permitted to carry out the following actions:

  • Copying or altering data from the IT system or deleting data from that system;
  • Changing the parameters of the IT system;
  • Installing malware: viruses, worms, Trojan horses, etc.;
  • Distributed denial-of-service attacks;
    • Social engineering attacks;
  • Phishing attacks;
  • Spamming;
  • Stealing of passwords or brute force attacks;
  • Installing a device that makes it possible to intercept, store or access electronic communications that are not accessible to the public;
  • Intentionally intercepting, storing or accessing communications not accessible to the public or electronic communications;
  • Intentionally using, maintaining, sharing or distributing the content of communications not accessible to the public or data from an IT system about which the participant should reasonably have known was unlawfully obtained;
  • Using automatic tooling that generates more than 10 requests per second, therefore potentially impacting availability.

If participants enlist the help of a third party to carry out their analysis, they must ensure that this third party is aware of this policy in advance and agrees to abide by with the terms of the policy when providing assistance.

Confidentiality

Under no circumstances may participants share any information collected within the context of this policy or share this information with third parties without the prior and explicit consent of the Jan Yperman Hospital.

Nor is it permitted to communicate IT data, communication data or personal data to third parties or to share this data with third parties.

However, if the vulnerability may also affect other organizations in Belgium, the participant or relevant organization may report it to the CCB (vulnerabilityreport@cert.be).

Bona fide execution

The Jan Yperman Hospital undertakes to implement this policy in good faith and not to bring civil or criminal proceedings against any participant who strictly complies with its terms.

There can be no fraudulent intent, intent to harm or desire to use or cause harm to the visited system or its data on the part of the participant. This also applies to third-party systems in Belgium or abroad.

In case of doubt about certain terms of our policy, participants should consult with our designated contact in advance and obtain his or her written consent before acting.

Processing of personal data

The processing of personal data has a broad definition and includes, in particular, the storage, modification, retrieval, consultation, use or disclosure of any data concerning an identified or identifiable natural person. The “identifiability” of the person does not depend on the data processor's mere desire to identify him or her, but on the ability to identify the person directly or indirectly based on this data (such as an email address, identification number, online identifier, IP address or location data).

The coordinated vulnerability disclosure policy (CVDP) does not aim to intentionally process personal data. However, it is possible for participants to access, even by accident, personal data stored, processed or transmitted in the IT system in question. It may also prove necessary for participants to temporarily access, retrieve or use personal data as part of vulnerability detection. In this case, the participant must notify the data protection officer at the Jan Yperman Hospital at dpo@yperman.net.

When processing such data, participants undertake to comply with the legal obligations regarding the protection of personal data[1] and the terms of this policy.

  • Participants undertake to only process personal data as instructed by the Jan Yperman Hospital, as defined in this policy, and only for the purpose of detecting vulnerabilities in the Jan Yperman Hospital’s systems, equipment or products. Any processing of personal data for any other purpose is prohibited.
  • Participants agree to limiting the processing of personal data to only what is necessary for vulnerability detection.
  • Participants may not store any personal data processed for longer than is necessary. During this period, participants must ensure that this information is stored with a level of protection that is proportionate to the risks (preferably encrypted). After being used for the purpose of the policy, this data must be deleted immediately.
  • Participants undertake to inform us as soon as possible after becoming aware of any possible personal data breach[2] by email to dpo@yperman.net.

Participants may rely on a third party for their analysis. They must ensure that this third party is aware of this policy in advance and agrees to abide by with the terms of the policy when providing assistance, including confidentiality and the implementation of appropriate security measures. Participants acknowledge that they remain fully liable to the Jan Yperman Hospital if the third party used fails to fulfill data protection obligations.

How to report security vulnerabilities

Point of contact

You may only send the information discovered to the following email address: security@yperman.net.

Provide us with enough information to reproduce the issue and resolve it as quickly as possible.

Contact information should be provided, so that the Jan Yperman Hospital can contact the participant to work together towards a secure result. Provide your name and email address at the very least. It is also possible to use a pseudonym, but ensure that the Jan Yperman Hospital is able to contact the participant with any additional questions or information needed.

We ask that participants provide us with this information in Dutch.

and use secure means of communication as far as possible. The public PGP key is available at https://yperman.net/.well-known/pgp-publickey.txt. Please send your own public key when communicating.

Procedure

Discovery

When participants discover information about a potential vulnerability, they should, to the extent possible, perform prior checks to confirm the existence of the vulnerability and identify any risks.

Notification

Participants undertake to provide technical information on potential vulnerabilities to the designated contact for this policy as soon as possible.

After receiving notification, the Jan Yperman Hospital undertakes to send the participant confirmation of receipt and the next steps in the procedure as soon as possible.

Communication

The parties undertake to do their utmost to ensure permanent and effective communication. After all, the information provided by participants may be very useful in identifying a vulnerability and resolving it.

Analysis

During the analysis phase, the Jan Yperman Hospital will reproduce the environment and vulnerability identified in order to check the information provided.

The Jan Yperman Hospital undertakes to keep participants regularly informed about the results of the analysis and actions taken based on their notification.

During this process, the parties ensure that they establish a link to similar or related notifications, assess the risk and severity of the vulnerability and identify any other affected products or systems.

Developing a solution

The goal of the disclosure policy is to enable the development of a solution to eliminate the vulnerability from the IT system before harm is done.

Taking into account the state of the art, execution costs, severity of risks for users and technical limitations, the Jan Yperman Hospital will try to develop a solution as soon as possible.

At this stage, the Jan Yperman Hospital and its partners undertake to carry out, on the one hand, positive tests to check that the solution is working properly and, on the other hand, negative tests to ensure that the solution does not interfere with the proper functioning of the other existing features.

Possible public disclosure

In consultation with the participant, the Jan Yperman Hospital will decide if and how the existence of the vulnerability is to be disclosed. Such public disclosure may take place at the earliest simultaneously with the implementation of a solution and communication of security notification to users.

The Jan Yperman Hospital also undertakes to collect user comments on the use of the solution and to take the necessary corrective actions to resolve any problems caused by the solution, including those relating to compatibility with other products or services.

If, after the vulnerability has been resolved, participants wish to publish information about the vulnerability, we ask that the participant give us at least one month before the publication and allow us to comment on it. Identifying us either directly or indirectly in a disclosure may only be done with the explicit consent of the Jan Yperman Hospital.

As a token of appreciation for notification of a security issue still unknown to us, we offer the opportunity to be featured in our “Hall of Fame”.

Applicable law

Belgian law applies to all disputes related to the implementation of this policy.

Duration

The rules of the policy apply from April 18, 2026 until amended or cancelled by the Jan Yperman Hospital.

We reserve the right to modify the contents of this policy at any time or to cancel the policy.

Hall of Fame

Mayank Mukhi

(names in order of date of first notification)


[1] Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[2] A “personal data breach” is a security breach that results in accidental or unlawful destruction, loss, alteration, unauthorized release of or access to personal data.


Last modified on 15 June 2026

NEWSLETTER
Swoosh element