Responsible Disclosure

How to report a vulnerability in an Efteling IT system (Responsible Disclosure)

At Efteling, we take the security of our systems very seriously. Despite our efforts to ensure our systems are secure, vulnerabilities can still arise. If you discover an issue with the security of any of our systems, please inform us as soon as possible so we can take prompt action to address it. We are keen to work with you to better protect our systems as well as our guests' data.

Our Responsible Disclosure policy is not an invitation to actively search for vulnerabilities by performing extensive scans of our corporate network. We monitor our network ourselves. There is a high likelihood that any such scans will be detected and investigated by our Security Operation Centre (SOC). This could incur unnecessary costs.

If you wish to report a vulnerability in an Efteling IT system, please contact cybersecurity@efteling.com.

Key considerations for Responsible Disclosure

When reporting a vulnerability in an Efteling IT system, please consider the following:

Provide enough information to enable us to replicate the problem so we can resolve it as quickly as possible. The affected system's IP address or URL (link) and a description of the vulnerability are usually sufficient. If the issue is more complex, we may require additional information.
Leave your contact details (e-mail address and/or telephone number) so we can get in touch with you.
Report the vulnerability as soon as possible after discovering it.
Do not share information about the security issue with anyone else until it has been resolved.
Information regarding the security issue should be handled responsibly. Do not perform any action that goes beyond what is necessary to demonstrate the security issue.
Any confidential data obtained during your investigation should be deleted immediately once the issue has been resolved.

Do not exploit any vulnerability in our IT system

If you discover a vulnerability, do not exploit it. For example, do not:

Install malware.
Copy, change or delete any data in a system (you may create a directory listing of a system as an acceptable alternative).
Make changes to the system.
Repeatedly access the system or share access with others.
Use brute-force attacks to gain access to systems.
Engage in denial-of-service attacks or social engineering tactics.

What you can expect from us

By reporting a vulnerability in our IT system, you play a crucial role in helping to prevent critical information from falling into the wrong hands or being used for fraudulent or criminal activities.

We will treat your report as confidential. We will not share your personal data with third parties without your permission, unless this is required by law or a court order. We will keep you informed about how we are dealing with your report.

We will respond to your report within five working days and will give you an estimated timeframe for the resolution of the issue. We will also regularly update you on our progress.
We will resolve the vulnerability issue as quickly as possible. Resolution times may vary as they depend on various factors, including the severity and complexity of the issue.
No legal action will be taken against you, providing you follow the guidelines outlined above.
If you report a vulnerability of which we were previously unaware, we would like to offer you a token of our gratitude for your assistance in improving the security of our systems. Depending on the severity of the issue and the quality of your report, this can range from a keyring to free Efteling entrance tickets.
If you find a vulnerability in any third-party software used by Efteling that is part of a bug bounty programme, you will be entitled to any resulting reward.