Responsible disclosure

In its capacity of largest system operator in Flanders, Fluvius is doubling down on continuous digitalization and automation of its utility services for households, public and private sector businesses. To provide said services in an open and stable way, excellence in safety and security is our prime concern. As new vulnerabilities emerge every day, part of the Fluvius strategy to prevent these from being exploited by malicious entities is by collaborating with researchers, ethical hackers, bug bounty hunters and other cyber security afficionados.

How you can help us

If you stumble upon a weakness or vulnerability in our Fluvius digital portfolio such as websites, mobile or web applications, digital meters or other IoT solutions, please report these to webmaster [at] fluvius [dot] be (webmaster[at]fluvius[dot]be) and include the following information:

  • Comprehensive and detailed information about the found weakness and possible impact of exploitation;
  • Detailed description of the steps needed to reproduce the vulnerability, such as host name, ip address, URL, proof of concept, step by step procedure, scripts, screenshots, pictures;
  • Your contact details, so we may contact you if needed, and which will be handled with utmost discretion and confidentiality (pinky swear);
  • Please act in a responsible manner by sharing this information with Fluvius only, and through above mentioned email address. Under no circumstance post or publish any weaknesses or vulnerabilities found using public channels such as social media, internet fora or even traditional press as doing so may put you at risk of legal action.

Share this information only with Fluvius via the above e-mail address and deal with it in a responsible manner.

Rules for responsible disclosure

What can you report?

Any potential weaknesses or vulnerabilities found in our digital services portfolio, excluding those hosted by external providers or other third parties. In case of doubt, send your findings anyway.

What is not considered responsible action or disclosure ?

In order to guarantee the safety of our users and employees as well as not to disrupt our services, the following techniques and methods are explicitly prohibited:

  • Physical or brute force tampering attacks such as probing access to compounds, buildings or apparatus.
  • Social engineering such as phishing or other fraudulent contact attempts and communications;
  • (Distributed) Denial of Service attacks at either the network or application level. (DDoS)
  • Any action or technique that can compromise the availability, integrity and confidentiality of systems and data.

How do we follow up on your report?

Fluvius is very concerned about information security, so we take all reports of weaknesses extremely serious. We therefore commit to act on all correctly documented reports in the following way:

  • You will receive a response within 2 weeks;
  • If we need additional information, we will contact you directly;
  • Each report will be investigated and resolved as quickly and efficiently as possible;
  • No legal action will be taken as long as all of the above conditions are met.

Unauthorised use of our digital portfolio

You commit to the following:

  • To not use any information obtained in an illegitimate or illegal way;
  • To not use our digital services portfolio in a way that may damage, distort, interrupt or discontinue the underlying services or make them less efficient;
  • To not use our digital services portfolio for the transmission or posting of computer viruses and other malware, for the transmission or posting of illegal or illegitimate material or material that is inappropriate in any way (including, but not limited to, material with a libellous, obscene, discriminatory, violent or threatening character);
  • To not use our digital services portfolio in such a way that may infringe on the rights of a natural person, legal person or association, including, but not limited to, privacy and intellectual property rights.;
  • To not use the website for the posting and transmission of material with promotional or advertising purposes without the prior permission of Fluvius, except if this was requested by the recipient;

If you breach the intellectual property rights or other rights of Fluvius or third parties, you commit to compensate and indemnify Fluvius and/or the third parties against any claims resulting from a violation.