Last update: June 16th, 2025

1. Introduction

Itineris is committed to protect and secure its website, ICT products, software, services, networks and other (information and IT) systems (“Resources”). In order to continuously improve the security of our Resources, we have adopted this coordinated vulnerability disclosure policy (“CVDP” or “Policy”).

This Policy informs you (a participant to this CVDP) under which terms and conditions you – provided you have no fraudulent intention or intention to harm – can search for potential vulnerabilities in our organization’s Resources and how you can inform Itineris on any information you discover about a (potential) vulnerability. Please read this Policy carefully. It describes not only your rights, but also how you can exercise them. A vulnerability is any weakness, susceptibility or deficiency of ICT products or ICT services that can be exploited by a cyber threat.

By using our Resources with the aim of discovering any (potential) vulnerabilities or by disclosing any (potential) vulnerabilities with Itineris, you participate to this CVDP and acknowledge and agree to adhere to the content and procedures set forth in this Policy.

2. Who we are and how to contact us?

Itineris is a company incorporated under Belgian law.

  • Company name: Itineris NV
  • Registered office: Westrem Building, Kortrijksesteenweg 1144 A, 9051 Sint-Denijs-Westrem (Ghent), Belgium
  • Company number: 0474.964.260

hereinafter “Itineris”, “we” or “us”.

We have appointed a Chief Information Security Officer, whom you can contact for questions about this Policy.

Email address: vulnerability-disclosure@itineris.net

3. Scope

Access to our Resources is strictly limited to and only permitted to persons with good faith intentions to improve the security and safety thereof, to inform us of existing or potential vulnerabilities and in strict compliance with applicable law and the terms and conditions set forth in this Policy.

Our Policy concerns security vulnerabilities that could be exploited by third parties or disrupt the proper functioning of our Resources.

The scope of this Policy is limited to Itineris’ Resources. Third party websites, applications, products, software, systems, services and other resources (“Third Party Resources”) and any Resources which are dependent on Third Party Resources are expressly excluded from the scope of this Policy.

4. Obligations of the participant

4.1. Proportionality

The participant undertakes to comply strictly with the principle of proportionality and necessity in all its activities and services carried out under this Policy.

Without prejudice to the generality of the foregoing, you will not:

  • (i) disrupt (the availability of) our Resources nor our service offering or business activities;
  • (ii) exploit or otherwise use any (potentially) discovered vulnerability beyond what is strictly necessary to demonstrate the (alleged) security issue or vulnerability, meaning that, as soon as a (potential) security issue is demonstrated to a certain extent (however insignificant), no further action can be undertaken by you and you shall immediately inform Itineris in accordance with 10 of this Policy; and
  • (iii) intentionally (attempt to) access or get knowledge of (either manually or automatically by using a ‘robot’, ‘spider’, ‘crawler’, search or retrieval systems or by using any other (automatic) tools, processes or methods) any content or data (including, without limitation, personal data) available on or within the Resources. Access to any content or data available on or within the Resources can only occur incidentally in the context of the search for vulnerabilities.

4.2. Restricted actions

You are prohibited from (directly or indirectly) executing the following actions:

  • (i) using the Resources in any unlawful manner, for any unlawful purpose or in any manner inconsistent with this Policy;
  • (ii) acting fraudulently or maliciously or impersonating another natural person or legal entity;
  • (iii) misuse a discovered vulnerability or undertake any action that could cause the Resources to become more susceptible to vulnerabilities;
  • (iv) copying, altering, amending, combining or deleting any (personal) data or information available on or within the Resources and inserting any new data or information in the Resources (other than any potential visiting logs that might be (automatically) generated or created, provided the integrity of the Resources in question are not impacted);
  • (v) using the Resources in a way that could damage, disable, overburden, impair or compromise our Resources or its security or interfere with users’ usage thereof;
  • (vi) changing, altering, enabling or disabling the parameters or settings of the Resources (such as, without limitation, disabling or enabling any cookies);
  • (vii) installing or inserting malware: malicious code, viruses, worms, Trojan horses, etc.;
  • (viii) executing (Distributed) Denial of Service ((D)DOS) attacks, social engineering attacks, phishing attacks, brute force attacks or similar attacks;
  • (ix) using the Resources to distribute any form of spam or unwanted (non-)commercial information, chain letters or pyramid schemes;
  • (x) stealing passwords;
  • (xi) installing devices, tools, methods or systems to intercept, store or access (electronic) communications that are not accessible to the public unless you can prove that you have no intention of using the aforementioned systems for the aforementioned purposes, either by evidencing the consent of all participants in the communication or by participating in the communication yourself;
  • (xii) the intentional interception, storage or receipt of communications or data not accessible to the public or of electronic communications or (attempt to) decipher any transmissions to or from any Resources;
  • (xiii) the deliberate use, maintenance, communication or distribution of the content of non-public communications or of data available on or within the Resources whereof the participant should reasonably know it is unlawfully obtained; and
  • (xiv) disclose, share, disseminate, publish or otherwise make available a discovered vulnerability to or with any third party, without Itineris’ express prior written consent, unless otherwise permitted under this Policy and/or required under Belgian laws.

Please note that if you do not abide by the terms of this Policy (and in particular, without limitation the aforementioned restrictions) you are guilty of an offence.

4.3. Third parties

In the event you engage or use the assistance of a third party to carry out any investigation or activities falling within the scope of this Policy, you warrant that said third party is fully aware of this Policy and that he/she agrees to abide by the terms of this Policy.

5. Confidentiality

5.1. Your obligations

You shall treat as confidential, protect and keep secret all information relating to Itineris and the Resources (including, without limitation, any information and (personal) data available within or stored in the Resources or collected or generated in the execution of any activities under this Policy, such as visuals, materials reports, or any other information or output materials which have come to your knowledge or are under your control) (“Confidential Information”), and shall not disclose, share, disseminate, publish or otherwise make available any of our Confidential Information to or with any third party, without our express prior written consent or as required under applicable Belgian law. You shall not use any of our Confidential Information for any purpose other than as required to execute your rights under this Policy or for the performance of your obligations under this Policy or applicable law.

The obligations set out in this clause shall enter into force as from the start of your usage or access to any of our Confidential Information and shall survive during five (5) years after the termination or expiration of your last usage or access to the Confidential Information.

Upon our first request and in any event upon completion of your activities under this Policy, you shall – at our discretion – promptly, and in any event no later than 72 hours, delete (and certify to us that you have done so) or return to us all Confidential Information and all materials and documentation (and all copies thereof) that came into your possession in the execution of any activities under this Policy.

In the event the vulnerability may also affect other organizations in Belgium, you or Itineris may inform the CCB (vulnerabilityreport@cert.be). In the event you decide to notify the CCB, you shall promptly notify Itineris of this intention/notification.

5.2. Itineris’ obligations

Unless disclosure is necessary to comply with our legal obligations, any order of a governmental, judicial or other regulatory authority and/or in order to protect our or a third party’s legitimate interests, Itineris will treat any notifications executed by you in accordance with this Policy confidential and will only share your identity or personal data (including the identity of third parties) with its staff members who have a “need to know” basis for receiving and following-up any notifications made under this Policy.

6. Processing of personal data

6.1. Your obligations

The purpose of any actions and activities executed under this CVDP is not and cannot be to intentionally process personal data. Unless it is strictly necessary to evidence the existence of a (potential) vulnerability with the purpose of notifying Itineris of said (alleged) vulnerability, you are not allowed to consult, access, use, retrieve, disclose, store or otherwise process any personal data that could relate to an identified or identifiable natural person within the meaning of the general data protection regulation (Regulation (EU) 2016/679) (“GDPR”).

In the event you incidentally or accidentally get access to or otherwise process any personal data that is available or stored in the Resources, in the course of your vulnerability research, you shall

  • (i) comply with all European, Belgian and other applicable laws related to data protection;
  • (ii) immediately (i.e. at the latest within twenty four (24) hours ) inform us in the event you accessed and/or lost any personal data or in the event you identified any other (potential) personal data breach by sending an email to privacy@itineris.net;
  • (iii) immediately cease access to and any processing activities with respect to the personal data and immediately (i.e. at the latest within [three (3) calendar days] return (or alternatively delete and certify such deletion in writing) any personal data which you do not or no longer need to evidence any (potential) vulnerability with the purpose of notifying Itineris.

In the event that, notwithstanding any prohibition thereto, you process personal data available within or stored in our Resources in a manner inconsistent with this Policy or for purposes other than the investigation of potential vulnerabilities in our Resources, you will be considered a data controller and will assume full responsibility for the processing activities carried out.

6.2. Itineris’ obligations

If and to the extent we process your personal data, we will do so in accordance with our privacy policy available at https://www.itineris.net/global/privacy-policy/.

Itineris has appointed a Data Protection Officer, whom you can always contact for questions about your privacy and the processing of your personal data, by sending an email to: privacy@itineris.net.

7. Ownership of the Resources

All (intellectual) property rights vested in the Resources, content, information, materials and (personal) data available within or stored on the Resources (including the “look and feel thereof”) are and remain the sole and exclusive property of Itineris (or its licensors) and are protected by copyrights and other applicable rights in accordance with local, national and international legislation. Itineris does not grant you any other rights to its Resources than granted pursuant to this Policy. You shall not in any way acquire any title, intellectual property rights, or other proprietary rights of whatever nature vested in or related to the Resources.

In any event, you shall not (directly or indirectly), nor allow or permit any third party to:

  • (i) arrange or create derivative works based on the Resources;
  • (ii) assign, distribute, sub-license, transfer, sell, lease, rent out the Resources or make them available to any third party;
  • (iii) modify, alter, copy, duplicate, reverse engineer, decompile, disassemble, record or otherwise reproduce or (try) to access or discover the (underlying) source code of the the Resources or any part of them;
  • (iv) remove or alter any copyright or other proprietary notice on the Resources.

In the event that, notwithstanding any prohibition thereto, you modify or create derivative works of the Resources, Itineris shall own all right, title and interest, including any intellectual property rights, in and to such modifications and derivatives and you hereby automatically assign any such rights, title, interests and intellectual property right vested in such modifications and derivatives to Itineris (at no cost) as of their inception.

8. Execution of this Policy

8.1. Your obligations

You will execute any activities under the scope of this Policy:

  • (i) in a free and independent manner, at your own discretion but taking into account Itineris’ interests;
  • (ii) with the diligence, seriousness, professionalism and competence that Itineris is entitled to reasonably expect from a careful person placed in similar circumstances and in accordance with applicable industry practices and standards. You hereby declare that you understand the risks associated with the implementation of this Policy and have the necessary expertise, knowledge and experience to test our Resources in a safely manner and in compliance with applicable law; and
  • (iii) loyally, i.e. in a manner which does not harm the interests of Itineris (meaning that you shall not (directly or indirectly) have any participation or interest, in any company, institution or entity which performs activities that are the same as or competitive with the activities performed by Itineris or participate or be involved in an activity, which is directly or indirectly competitive with the activities of Itineris).

If you have any doubt about any of the conditions of our Policy, you must contact us by sending an email to: vulnerability-disclosure@itineris.net prior to taking any action and adhere to any additional instructions, guidelines and answer provided by Itineris.

8.2. Itineris’ obligations

Itineris undertakes to implement this policy in good faith and to not to take legal action, either civil or criminal, against you provided:

  • (i) you had reasonable grounds to believe that the reported information on a (potential) vulnerability was correct at the time of notification and that it fell within the scope of this Policy and applicable law with respect to notifying such vulnerabilities;
  • (ii) you strictly complied with any applicable local, national or international regulations, laws and implementing acts and the terms and conditions set forth in this Policy;
  • (iii) you did not cause any harm to our Resources or reputation (in particular, without limitation, by publishing or otherwise disseminating any (harmful or defamatory) information with respect to the Resources, Itineris or any output or findings generated in the execution of any activities under this Policy);
  • (iv) your actions and activities are free of any fraudulent or malicious intent and desire to use or cause harm.

9. Rewards or bounties

Itineris is not obliged under applicable law to and shall not provide any (monetary) reward or bounty to you for any (potential) vulnerabilities you informed us about.

Any request for a reward in consideration for any activities executed under the scope of this Policy may thus be considered as an illicit attempt at extortion.

10. Reporting a (potential) vulnerability

10.1. Notification

You shall, as soon as possible after your discovery of a (potential) vulnerability (i.e. meaning at least within twenty four (24) hours after becoming aware of a (potential) vulnerability), provide Itineris any information related to your findings with respect to the (potential) vulnerability in accordance with the notification modalities set forth below. If not all information is available within the aforementioned period, you will immediately provide any additional information when such information becomes available.

In the event you become aware of any information relating to a potential vulnerability, you should, where possible, carry out prior checks to confirm the existence of the vulnerability, identify any risks involved and provide any information related thereto to Itineris.

10.2. Point of contact

Any information about a (potential) vulnerability can only be send to : vulnerability-disclosure@itineris.net.

To the extent reasonably possible, you must use the following secure means of communication eg. Secure Multipurpose Internet Mail Extensions (S/MIME).

10.3. Information to be provided

You shall provide us sufficient information so that we can examine and (attempt to) reproduce the (potential) vulnerability as quickly as possibly by completing and providing at a minimum the information form set forth in Annex 1. You shall send the aforementioned form to vulnerability-disclosure@itineris.net.

Please note that only communications executed and information provided in English or Dutch will be considered.

10.4. Analysis

Upon receipt of a notification, Itineris undertakes to examine your notification and shall, as soon as possible and limited to the extent reasonably possible taking into account all relevant circumstances, send you an acknowledgement of receipt.

You undertake to assist Itineris with its examination of your notification and shall make every effort to ensure the continuous and effective communication with Itineris.

Itineris will duly examine any notification made under this Policy and will – to the best of its abilities – (attempt to) replicate the (potential) incident notified in order to verify the information reported.

Itineris undertakes – to the best of its abilities and limited to the extent reasonably possible taking into account all relevant circumstances (including without limitation the nature, complexity, urgency and scale of the (potential) vulnerability), to inform you on the results of the investigations and the measures taken based on the notification.

In the absence of a reaction from one of the parties under this Policy beyond a reasonable time, the parties can call upon the Centre for Cybersecurity Belgium (CBB) (vulnerabilityreport@cert.be), as coordinator (by default).

11. Development of a solution

The objective of this Policy is, to the extent a vulnerability is effectively established, to enable the development of a solution to mitigate and/or resolve the vulnerability to the extent reasonably possible (including, without limitation, taking into account the then-current technological knowledge, the costs of implementation, the severity of the risks to users of the Resources and the technical constraints), before any damage or harm is caused.

For the avoidance of doubt, Itineris shall – in its sole discretion – assess and determine:

  • (i) whether a vulnerability exists; and
  • (ii) whether the development of a solution is desirable and if so which solution it shall (to the best of its abilities) try to develop.

12. Possible public disclosure

Itineris will decide, in its sole discretion, whether or not any information related to the (potential) vulnerability can be made public and subject to which modalities. The aforementioned applies to any information, that might directly or indirectly refer to Itineris or Itineris’ business activities (including, without limitation, in publications for research or academic purposes). For the avoidance of doubt, you shall not disclose any information related to the (potential) vulnerability under this Policy without Itineris’ express prior written consent. Any allowed public disclosures should only take place simultaneously with the deployment of a solution and the distribution of a security notice to users of the affected Resources.

Without prejudice to the foregoing, Itineris undertakes, in accordance with applicable law, to inform the Centre for Cybersecurity Belgium (vulnerabilityreport@cert.be) in the event of a discovered vulnerability that also affects other organizations, even if it does not want the vulnerability to be disclosed publicly.

13. Warranties and liability

The Resources are made available to you “as is”. Itineris disclaims all warranties of any kind, either express or implied, including but not limited to warranties that the Resources will be without defect or error free, warranties of accuracy or completeness, availability, merchantability and fitness for a particular purpose, or non-infringement.

Subject to the maximum extent permitted by law, Itineris shall not be liable for:

  • (i) any indirect, punitive, special, consequential, or similar damage (including damages for loss of profit, lost revenue, loss of business, loss of corruption of data, loss of goodwill, and reputational damage, (potential) investments and costs of restoring data, damage to software, products or goods) arising or incurred due to the usage of or access to the Resources;
  • (ii) damages caused by you or any third parties; and
  • (iii) damages arising as a result of any breach of this Policy or applicable law.

You shall ensure that your actions, reports and notifications do not infringe any third party’s (intellectual property) rights.

You shall take all reasonable endeavors to prevent and mitigate potential damages to our Resources and third party resources.

14. Changes to this policy

Itineris may amend this Policy from time to time. The date of the most recent version is shown at the top of this Policy. Please review this Policy periodically to stay informed of changes that may affect you.

Amended versions of this Policy take effect ten (10) days after publication on the Website, unless such modifications are necessary to comply with a legal requirement. In the latter case, the changes will take effect immediately.

In certain circumstances, exceptions to this Policy may be agreed to upon mutual consent between Itineris and you based on a demonstrated business need. Exceptions must be formally documented and approved by Itineris’ and will be reviewed on a periodic basis for appropriateness.

15. Miscellaneous

If any provision of this Policy is held to be unenforceable (in whole or in part), the other provisions shall nevertheless continue in full force and effect. The provisions found to be unenforceable shall be enforceable to the full extent permitted by applicable law.

The terms of this Policy may only be waived by a written document signed by the party entitled to the benefits thereof. No such waiver or consent shall be deemed to be or shall constitute a waiver or consent with respect to any other terms or conditions, whether or not similar. Each such waiver or consent shall be effective only in the specific instance and for the purpose for which it was given, and shall not constitute a continuing waiver or consent.

The Centrum for Cybersecurity Belgium (vulnerabilityreport@cert.be) may act as intermediary to attempt to reconcile us in the event any dispute arises related to this Policy.

This Policy shall be governed, interpreted, and implemented in accordance with Belgian law, which applies exclusively in the event of any dispute. The Belgian Courts (division Ghent, department Ghent) are exclusively competent to decide on any dispute that may arise from the interpretation or implementation of this Policy, without prejudice to present a dispute before the competent court on the basis of a mandatory statutory provision.

Annex 1 – Form to report vulnerabilities

We ask you to provide at least the following relevant information:

  • Last name
  • First name
  • Address
  • Email address
  • Phone number
  • Description of (potential) vulnerability
  • Type of (potential) vulnerability
  • Configuration details
  • Operating system
  • Operations performed (logs)
  • Tools, methods and techniques used
  • Dates and times of the tests/activities
  • IP address or URL of the Resource concerned
  • In case of processing of personal data:
  • Categories of personal data accessed/processed
  • Categories of data subjects
  • Transfer of data to/access from a country outside the European Union or the European Economic Area? If yes, please indicate the country(ies) concerned
  • Any other relevant information
  • Attachments (screenshots).