Disclosure

At Syntory, the security of our systems is very important to us. Despite our care for the security of our systems, it is always possible that there is a vulnerability. If you have found a vulnerability or security flaw in one of our systems, physical or digital, please let us know so that we can take security measures as soon as possible. We would like to work with you to better protect our systems, our customers and our ecosystem.

1. Scope

This policy applies to all interested parties and stakeholders of Syntory, for any of the Syntory services and platforms.

2. Audience

We request the cooperation of the audiences in scope, including, but not limited to:

Website Visitors
Visitors on Syntory premises
Employees and staff
Customer
Contractors and partners;
Prospects

3. Protocol

What we ask you to do:

In case you discovered a vulnerability, we ask you to do the following:

Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more;

Encrypt your findings using our safe tool at https://safe.core-ict.be to prevent the information from falling into the wrong hands;

Email your findings to security@syntory.com

What we ask you NOT to do:

When a vulnerability has been discovered, please refrain from:

Abusing the problem by, for example, downloading more data than is necessary to demonstrate the leak or viewing, deleting or modifying data from third parties;

Sharing the problem with others before it is resolved. Please also erase all confidential data obtained through the leak immediately after closing the leak;

Attacking physical security, social engineering, distributed denial of service, spam or third-party applications, and damaging our platforms in any way, or impacting the performance of these systems.

Please be aware:

There is a legal protocol to be followed (see legal reference below). Any illegal access to our systems can and will be prosecuted to the maximum extent if this regulatory protocol is disregarded.

What can be expected from us:

We will respond to your report as soon as possible, maximum within 5 working days, with our initial assessment of the report and an expected date for resolution;

If you have complied with the above conditions and the legal conditions by cyberlaw, we will not take any legal action against you regarding the report;

We will treat your report confidentially and will not share your personal data with third parties without your permission unless this is necessary to comply with a legal obligation;

If desired, we will keep you informed of the progress of solving the problem;

In notifying you of the reported problem, we will, if you wish, mention your name as the discoverer.

Publication of the vulnerability or resolution:

Only Syntory decides on any public or official communication and publication on discovered vulnerabilities. No publication is allowed without agreement and validation by Syntory.

4. Courtesy

This responsible disclosure policy is based on the open-source project based on the Creative Commons v3 license: https://responsibledisclosure.nl/

5. Legal reference

Please be aware that the reporting of any vulnerability is bound to legislation.

As Syntory HQ is located in Belgium, the Belgian law on vulnerability disclosure applies.

In short (quote from the website of CCB):

You must limit yourself strictly to the facts necessary to report a vulnerability. Thus, you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability;

You must act without fraudulent intent or design to harm;

As soon as possible after the discovery of the potential vulnerability (and at the latest at the time of reporting to the national CSIRT), you must inform the organization responsible for the system, process or control of the vulnerability;

You must report the discovered vulnerability as soon as possible to the CCB (in the absence of a CVDP), in writing and according to the procedures described in point D of the CCB policy;

You must not publicly disclose information about the discovered vulnerability without the agreement of the national CSIRT (CCB).

More information: https://ccb.belgium.be/en/vulnerability-reporting-ccb

6. General company info

Website: https://www.syntory.com/
Contact: https://www.syntory.com/contact/
VAT: BE 0729.751.289 (Belgium)

Syntory HQ
Sint Jobsesteenweg 102
B-2930 Brasschaat
Belgium
Phone: +32 (0)3 369 38 00

Story

Noun

  1. Real people and events told for entertainment
  2. The commercial prospects or circumstances of a particular company

Synthesis

Noun

  1. The combination of components or elements to form a connected whole