Brussels Airlines Responsible Disclosure Statement

Responsible Disclosure Statement

At Brussels Airlines, we consider the safety and continuity of our online services as one of our top priorities. Our specialists are continually working to optimise our systems and processes, yet despite all the effort we put in to securing our systems, vulnerabilities may still be present.

We investigate all reports of security vulnerabilities affecting our web presence. If you are a security researcher and you believe you have found a security vulnerability, please help us by reporting it so that we can work together to improve the safety and reliability of our systems.

You can report vulnerabilities by joining the Intigriti bug bounty programme and registering as a researcher:
https://www.intigriti.com

Intigriti is a crowdsourced security platform where security researchers and companies meet. As an ethical hacking and bug bounty platform, Intigriti aims to identify and tackle vulnerabilities in a cost efficient way. The platform facilitates online security testing through collaborating with experienced researchers.

Can I be rewarded for my report?

As an Intigriti researcher, you can earn good money. If you are willing to go public with your responsible hacking activities, you can receive financial rewards. Intigriti pays out rewards for every bug you manage to find and submit as the first researcher. Please be aware, Intigriti does not accept registrations from anonymous researchers.

With Our Thanks

If your vulnerability report is valid and you would like to be recognised for your contribution, we will gladly add you to our “Brussels Airlines InfoSec Hall of Fame”, by name or anonymously. Rest assured, we will only add you to our “Hall of Fame” if you explicitly request this.

Can I Report A Vulnerability Anonymously?

If you prefer not to provide your name and contact details, you can report a vulnerability directly to Brussels Airlines. However, you should consider that without this information we will be unable to discuss the next steps with you, or add you to our “Hall of Fame”.

To report a vulnerability directly to us, please send an e-mail to our security team:
InfoSec@brusselsairlines.com

Our specialists will read your report and start working on it right away.

Please ensure that your e-mail is clear and succinct. In particular, please include the following information:

  • Description of the discovered vulnerability or risk
  • Evidence of the finding (e.g. Proof of Concept, video, screenshot, etc.)
  • The steps you undertook
  • The entire URL
  • Objects possibly involved

Examples of vulnerabilities could be:

  • Cross-site scripting (XSS) vulnerabilities
  • SQL injection vulnerabilities
  • Remote Code execution
  • Authentication bypass
  • Encryption vulnerabilities

Vulnerability Testing Rules

To ensure that your testing remains lawful, refrain from using invasive or destructive techniques. Always adhere to these rules:

  • Do not disrupt our online services.
  • Do not use techniques that can influence the availability of our online services.
  • Do not make any changes to the system.
  • Do not modify or delete any data in the system.
  • In case your finding requires a copy of the data from the system, do not copy more than your investigation requires. If one record is sufficient, do not copy more.
  • Do not make any customer or business data public.
  • Do not create a backdoor in any system.
  • Do not attempt to penetrate the system more than required. In case you successfully penetrate the system, do not share gained access with others.
  • Do not use any brute force techniques (e.g. repeatedly entering passwords) in order to gain access to the system.
  • Do not use social engineering in order to gain access to our IT systems.

Vulnerability Reporting Guidelines

To ensure the best outcome, please follow these guidelines:

  • Create your report in Dutch, French, or English. Reports in other languages will not be processed.
  • Give us enough details to enable us to reproduce the vulnerability.
  • Allow us a reasonable amount of time to fix the vulnerability before making any information public.
  • Consult with us before making any information public.
  • Do not ask Brussels Airlines to compensate you for your report.

Our Vulnerability Reporting Commitment

You can expect the following commitments from us:

  • We will let you know that we received your report.
  • We will give you an estimate of how long the fix will take.
  • We will tell you when we have fixed the vulnerability.

Your Privacy

Your personal information will only be used to approach you regarding your vulnerability report. We will not distribute your personal information to third parties without your permission. Should the law require us to provide your personal information to an authority we will ensure that the applicable authority treats your personal information confidentially. We will remain responsible for your personal information.

Thank you for your support.
Information Security Team - Brussels Airlines

Last update: March 2019