Legal Procedure for Reporting Vulnerabilities

1 Responsible Security Reporting

At MobilityPlus, we take the security of our systems and services seriously. If you discover a vulnerability, we appreciate your help in reporting it to us responsibly.

This page explains how to report a vulnerability safely, what we expect from you as a researcher, and what you can expect from us in return.

2 Report a Vulnerability

If you believe you’ve found a security vulnerability in one of our systems, please let us know as soon as possible buy sending an email to: vulnerabilityreport@mobilityplus.be

Please include:

  • A clear description of the vulnerability
  • The affected system or URL
  • Steps to reproduce
  • Tools or methods used (if relevant)
  • Whether you prefer to remain anonymous or be credited

We ask that you do not publicly disclose the vulnerability until we have resolved it.

3 What We Ask From You

To ensure responsible and legally protected reporting, we ask that you:

  • Act in good faith, without malicious intent
  • Limit your actions to what is necessary and proportionate to confirm the vulnerability
  • Avoid actions that could disrupt services, damage systems, or compromise data
  • Never attempt to exploit the vulnerability or access more data than required
  • Delete any data obtained during your research as soon as possible
  • Keep the information confidential until coordinated disclosure is agreed

Activities that are harmful or excessive, such as social engineering, brute force attacks, installing malware, or causing service disruption, are not permitted.

4 Legal Framework

Belgian law offers certain protections to researchers who:

  • Act without malicious intent
  • Follow the principles of proportionality and necessity
  • Report vulnerabilities responsibly through the correct channel

Please note:

  • This protection applies only within Belgium
  • It does not apply to actions performed on systems located outside Belgian jurisdiction
  • Malicious or disproportionate actions remain punishable by law

5 What You Can Expect From Us

When you report a vulnerability:

  • We will acknowledge receipt of your report
  • Our security team will investigate and take appropriate action
  • We will keep you informed when possible
  • If you wish, we will credit you on our Security Wall of Fame once the issue is resolved and disclosure is agreed
  • We will coordinate public disclosure with you when appropriate

In cases involving multiple organisations or broader public risk, we may collaborate with the Centre for Cybersecurity Belgium (CCB).

6 Thank You

We greatly appreciate the efforts of security researchers who help us keep our systems safe.

Your responsible reporting strengthens the security of our products, our customers, and the wider ecosystem.