For more details on reporting a vulnerability, please visit: Legal Procedure for Reporting Vulnerabilities
en
Registreren / inloggen voor
Coordinated Vulnerability Disclosure Policy
Intro
Even though MobilityPlus does not run an official bug bounty program (yet), under the Legal Procedure for Reporting Vulnerabilities, we can receive reports of potential vulnerabilities about ICT products or ICT services subject to Belgian law.
Researchers who wish to benefit from legal protection, must respect certain conditions, including strict limitation to necessary and proportionate actions, absence of fraudulent intent or malice, as well as notification and reporting to MobilityPlus.
Purpose
At MobilityPlus, we value the security of our systems, services, and the data we are entrusted with. This Coordinated Vulnerability Disclosure (CVD) Policy outlines how external security researchers, ethical hackers, customers, and partners can report vulnerabilities in a responsible manner and how we commit to respond.
We encourage the reporting of security issues to help us maintain the trust of our customers and continuously improve the security of our systems.
Scope
This policy applies to:
- All internet-facing systems owned, operated, or maintained by MobilityPlus
- Web applications, mobile applications, APIs, firmware, and network infrastructure
- Odoo-based environments, energy management systems, and EV charging platforms under our control
Out of scope systems (e.g., third-party services and charging systems we use but don’t control) are not covered unless explicitly stated.
Reporting a vulnerability
If you believe you’ve found a security vulnerability, please report it to us privately by emailing vulnerabilityreport@mobilityplus.be.
Please include:
- A clear description of the vulnerability
- Steps to reproduce (proof-of-concept if available)
- The impacted system or URL
- Any tools or techniques used
- Your contact information (optional if you want credit or follow-up)
What to expect from us
When you report a vulnerability in good faith and in compliance with this policy, we commit to:
- Acknowledgement within 5 business days
- Assessment and prioritisation of the report based on risk and impact
- Transparency about the status and timeline of our remediation efforts
- Credit (if desired) in our acknowledgements page or disclosure timeline
- No legal action — provided you act in good faith and respect our guidelines (see below)
Rules of engagement (what we expect from you)
We ask researchers to follow these principles (non-exhaustive list):
- Act in good faith and avoid privacy violations, data destruction, or service disruption
- Give us a reasonable time to investigate and remediate (we aim to resolve critical issues within 90 days)
- Do not access, download, or modify data that does not belong to you
- Do not perform denial-of-service (DoS) or social engineering attacks
- Do not publicly disclose the vulnerability until we have resolved it or agreed on coordinated disclosure timing
The full procedure, your obligations and allowed actions are described in detail in the Legal Procedure for Reporting Vulnerabilities.
Safe Harbour
We consider activities conducted in accordance with this policy to be:
- Authorized, and
- Exempt from legal action, including under laws such as the Computer Misuse Act, GDPR Article 32, or national implementations of the NIS2 Directive.
If legal action is initiated by a third party, we will make it clear that your actions were authorised under this policy and part of a responsible disclosure process.
For legal protection under Belgian law, researchers must also comply with the Legal Procedure for Reporting Vulnerabilities.
Wall of Fame & Recognition
We believe in acknowledging those who help us strengthen our cybersecurity. With your explicit permission, we may include your name or alias on our Security Wall of Fame page (with optional link to your LinkedIn profile). If you prefer to remain anonymous, we will fully respect that choice.
Although we do not run a formal bug bounty program (yet), we also occasionally provide small thank-you tokens or company swag as a gesture of appreciation, based on the impact and quality of the report.