Autovig welcomes security research conducted in good faith on its public properties. This policy is the controller's coordinated-vulnerability-disclosure (CVD) policy under ISO/IEC 29147:2018, the Belgian Loi du 28 novembre 2022 (CVD safe-harbour conditions and the role of the Centre for Cybersecurity Belgium — CCB) and the ENISA Good Practice Guide on Vulnerability Disclosure. It applies to the website autovig.eu (the "Site").
1. Reporting channel
Send a single, structured report to:
Email subject: include the words security report
PGP key: TODO(pgp-key) — when a key is published it will be available on this page.
If you cannot reach us, or if you do not receive an acknowledgement within the timeline at section 6, you may refer the report to the Belgian national CSIRT:
You can submit reports in English, French, German, Dutch, Romanian or Polish.
2. Scope
In scope:
autovig.eu and any subdomain serving production content;
the static-site build output: HTML, CSS, JS bundles, and the structured data we emit;
the cookie consent flow and the consent storage on the client.
3. Out of scope
Third-party operator websites (ASFINAG, DARS, NÚSZ, BGTOLL, CNAIR, etc.) — please report those to the operator directly.
Issues that require a privileged position (already-compromised browser, malicious browser extension, physical access to the user's device).
Automated-scanner output without a clear, demonstrable security impact.
Reports about missing best practices (HTTP header hardening, TLS configuration choices, software-version fingerprinting) where no exploitable risk is shown.
Denial-of-service tests, social-engineering against staff or contractors, attacks against physical premises, attacks against third-party providers (hosting, DNS, mail).
4. What to include in the report
A short description of the issue and the affected URL or component.
Step-by-step reproduction, including the request payload if relevant.
The impact you believe the issue has, and a realistic exploitation scenario.
The date and time of testing and the browser, tool or script used.
Your preferred name (or pseudonym) for public credit, if any (section 8).
5. What we ask of you
Do not access, modify or download data that does not belong to you. If a misconfiguration exposes someone else's data, stop and tell us — do not download more than the minimum needed to evidence the issue.
Do not perform denial-of-service tests, social engineering, or attacks against physical premises or third-party providers.
Give us a reasonable window to fix the issue before public disclosure (section 7).
Operate in good faith. Reports submitted with the genuine intent of improving security are welcome; threats, extortion or demands for payment in exchange for non-disclosure are not.
6. Coordinated timeline — what we commit to
Acknowledgement within 5 business days of receipt.
Triage (in-scope confirmation, initial severity) within 10 business days.
Status updates on material findings at least every 15 calendar days until the report is closed.
Remediation within a window proportionate to severity: critical or actively exploited issues are prioritised; standard fixes target 90 calendar days from triage; if more time is required, a justified extension is agreed with you.
Public credit when a fix is shipped, if you wish (section 8).
7. Coordinated public disclosure
We follow a coordinated-disclosure model:
the report and the fix remain confidential until a remediation is shipped or until the coordinated-disclosure window (default 90 calendar days from triage) has elapsed;
the controller and the reporter agree on the wording, attribution and timing of any public advisory;
where a finding affects a third party (operator, processor, library), we may extend the window by mutual agreement to allow that party to coordinate its own response;
in case of disagreement on timing, the matter may be referred to the CCB (section 9).
8. Recognition — no bug-bounty programme at this time
Autovig does not currently run a paid bug-bounty programme. Recognition is via public credit on this page (with your preferred name or pseudonym) and direct correspondence. No commitment to monetary reward is made; if a programme is later introduced, the terms will be published here before any submission can rely on them.
9. Safe harbour and Belgian legal framework
We will not pursue legal action — and will treat your conduct as authorised for the purposes of the relevant computer-misuse provisions of Belgian law (in particular articles 550bis and 550ter of the Code pénal / Strafwetboek) — provided that you:
act in good faith with the genuine intent of improving security;
stay within the scope at section 2 and respect the out-of-scope list at section 3;
access only the minimum data necessary to evidence the finding and do not exfiltrate, retain, publish or share third-party data;
do not degrade availability, integrity or confidentiality beyond what is strictly necessary to demonstrate the issue;
report the finding to the channel at section 1 without unreasonable delay;
respect the coordinated-disclosure timeline at section 7.
This authorisation is granted by Autovig in its capacity as controller of the in-scope assets. It neutralises the unauthorised-access element of articles 550bis/550ter for in-scope acts only. It does not bind public authorities or third parties whose systems may be incidentally affected. Researchers who additionally notify the CCB and follow the conditions of the Belgian Loi du 28 novembre 2022 (relating to whistleblowers and coordinated vulnerability disclosure) benefit from the statutory CVD safe-harbour framework administered by the CCB, independently of this controller-granted authorisation. Where doubt exists, the CCB CVD policy at https://ccb.belgium.be/en/cvdp is the reference.
10. Processing of your personal data
The personal data you transmit when reporting a vulnerability (email address, content of the report, optional PGP-encrypted material) is processed by Autovig as controller under the legal basis of legitimate interest (article 6(1)(f) GDPR), for the purposes of triage, remediation and coordinated public disclosure. Reports are retained for up to 5 years after closure, in line with the CCB CVD policy guidance. Your full data-subject rights, the route to the Belgian APD/GBA and the full data-protection disclosures are set out in our Privacy Policy.
Sources