Responsible disclosure

At VPRO our systems and data are essential and we safeguard them with the utmost care. Still, weak spots in our security can occur and can potentially put our systems at risk. VPRO asks anyone who has discovered weak or vulnerable spots in our security to come forward, based on the Responsible Disclosure principle. Help us keep data safe and/or improve our security.
Go to
- VPRO privacyverklaring (Dutch)
- cookiebeleid (Dutch)
- cookie-instellingen (Dutch)
- VPRO x PublicSpaces (Dutch)
- PublicSpaces
- Verantwoorde openbaarmaking (Dutch)
VPRO responsible disclosure policy
At the Dutch public broadcasting organization VPRO, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it, so we can address it as quickly as possible. We would like to ask you to help us protect our members and our systems.
Please do the following
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible,
- E-mail your findings to responsibledisclosure@vpro.nl,
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
- Do not reveal the problem to others until it has been resolved,
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications from third parties.
What a valid report contains
- The URL or IP address of the affected system,
- Clear reproduction steps or a working proof-of-concept,
- A description of the actual security impact: what could an attacker realistically do?
Reports consisting of unverified output from automated scanning tools or AI tools will not be processed. We expect you to have manually verified your finding before reporting it.
Out of scope
The following issues are out of scope and do not qualify for a response, acknowledgement or reward:
- Output from automated scanners without a validated proof-of-concept,
- Missing security headers (such as CSP, X-Frame-Options, HSTS) without a demonstrated exploit,
- SPF, DKIM or DMARC configuration issues,
- Software version or banner disclosure without a working exploit,
- Self-XSS,
- Clickjacking on pages without sensitive actions,
- Missing rate limiting or other "best practice" deviations without demonstrated security impact,
- Use of outdated software or libraries without a demonstrated vulnerability,
- Theoretical issues without a realistic attack scenario.
What we promise
- We will respond to all valid, in-scope reports. For severe or high-impact vulnerabilities we will respond within 3 business days with our evaluation and an expected resolution date; for other valid reports we strive to respond within 6 business days. Reports that do not meet the requirements above may not receive a response,
- If you have followed the instructions above, we will not take any legal action against you in regard to the report,
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
- We will keep you informed of the progress towards resolving the problem,
- In the public information concerning the problem reported, we will mention your name as the discoverer of the problem (unless you desire otherwise),
- We appreciate your assistance. Only for a valid, in-scope report of a vulnerability that is unknown to VPRO and severe may you receive a reward: a mention in our Wall of Fame and/or a small non-monetary token of appreciation, depending on the severity of the vulnerability and the quality of the report. Out-of-scope reports and unverified scanner output never qualify.
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
Wall of fame
Here we will thank the people that reach out to us concerning vulnerabilities in our security and act according to our responsible disclosure policy, enabling us to (re)ensure the safety of our systems and data.
- Harsh Dineahbhai maheta
- Rokkam Vamshi
- Nikhil Rane
- Adrian Tirado Garcia
- Arjun E
- Björn Larsson
- Himanshu Kumar
- Kartik Bansal
- Keyur Mehta
- Mahmoud Elgendy
- Parag Bagul
- Sabarinath Panikken
- Sergen Koç
- Sumit Patel
- Suraj Yadav
- Shrivallabh Walkade
- Vaibhav Survase
- Abdelrahman Ibrahim Farg
- Abdul Rauf Memon
- Martin van Wingerden
- Yogesh Bhandage
- Raghav Arora