Infrabel's coordinated vulnerability disclosure policy

Infrabel is committed to ensuring the security of its networks and information systems. However, it is possible that, despite all its efforts, a security flaw may be discovered and is at risk of being exploited. Infrabel has therefore chosen to adopt a coordinated vulnerability disclosure policy. This policy gives external participants the opportunity to search, in good faith, for potential vulnerabilities in Infrabel's networks and information systems and/or to pass on to Infrabel any information they discover about a vulnerability.

Limited access to Infrabel's networks and information systems is only allowed to persons intending to improve security and to provide information to Infrabel (at the following address: vulnerabilitydisclosure@infrabel.be) about existing vulnerabilities, in strict compliance with the other conditions set out in this policy.

This policy relates to security vulnerabilities that could be exploited by third parties or disrupt the smooth operation of the following Infrabel networks and information systems:

• the Infrabel website, namely infrabel.be
• Infrabel's web or mobile applications
• Infrabel's networks and information systems

Searches on the part of the participant on information systems not explicitly included as part of this policy, on systems of third parties other than Infrabel (such as infrastructure or Cloud solutions) and actions by the participant that do not comply with the conditions set out below may result in legal proceedings against the participant.

In short, Infrabel expects the following behaviour from the participant(the participant should also consult the detailed terms and obligations of this policy):

• The participant may only search for vulnerabilities in the Infrabel systems designated in this policy.
• The participant may not carry out searches for vulnerabilities in the systems of third parties external to Infrabel (such as infrastructures or cloud services external to Infrabel).
• The participant shall not share with third parties the existence of the vulnerability, or information relating to the vulnerability or to data on the computer systems, even after the problem has been resolved.
• The participant shall not abuse the vulnerability, he/she shall only take the actions necessary in good faith to demonstrate the security flaw to Infrabel, and he/she may not, for example i) copy, modify, delete, download data and/or passwords from a computer system, ii) access systems if this is not necessary to demonstrate the security flaw, iii) give third parties access to systems.
• The participant may not:
• Modify a computer system's settings
• Permanently and irreversibly modify a computer system 
• Interfere with the correct operation of systems (e.g. carrying out automatic scans)
• Install malicious software (malware), viruses, worms, Trojan horses, etc. 
• Launch denial of service (DOS or DDOS) attacks 
• Launch social engineering attacks 
• Launch phishing attacks 
• Launch spamming attacks 
• Steal passwords or launch brute force password attacks 
• Bypass or attack the physical security of installations
• Intentionally intercept, record or acquire knowledge of a communication not accessible to the public or of an electronic communication, or install devices enabling these actions.
• Intentionally use, possess, reveal, utilise or disclose the contents of communications not accessible to the public or data from a computer system 
• The participant shall notify Infrabel as soon as possible of his/her discovery of a security flaw, exclusively to the following address: vulnerabilitydisclosure@infrabel.be, using the secure channel made available by Infrabel.
• After reporting to Infrabel, the participant shall delete all data obtained during the course of his/her search for vulnerabilities.
• If in any doubt about how this policy applies, the participant shall question Infrabel (at the following address: vulnerabilitydisclosure@infrabel.be) and obtain its prior written agreement before acting.

Proportionality

The participant undertakes in all his/her actions not to disrupt the availability of the services provided by the system and not to make use of the vulnerability beyond what is strictly necessary to demonstrate the security flaw to Infrabel. The participant undertakes to collect only the information necessary to inform Infrabel of the security flaw discovered.

The participant shall not therefore abuse the vulnerability: he/she shall only take the actions necessary to demonstrate the security flaw to Infrabel, and he/she may not, for example i) copy, modify, delete or download data and/or passwords from a computer system, ii) access systems if this is not necessary to demonstrate the security flaw, iii) give third parties access to systems.

The aim of this policy is not to allow the intentional acquisition of knowledge of the content of computer data, communications data or personal data, and such knowledge could only be acquired incidentally as part of any search for vulnerabilities. Where this is the case, the participant may not hold such data any longer than necessary and all data collected by the participant must be deleted immediately.

Other prohibited actions

The participant may not take any of the following actions:

• Copy, modify or delete data and/or passwords from a computer system
• Modify a computer system's settings
• Permanently and irreversibly modify a computer system 
• Interfere with the correct operation of systems (e.g. carrying out automatic scans)
• Install malicious software (malware), viruses, worms, Trojan horses, etc. 
• Launch denial of service (DOS or DDOS) attacks
• Launch social engineering attacks 
• Launch phishing attacks 
• Launch spamming attacks 
• Steal passwords or launch brute force password attacks 
• Bypass or attack the physical security of installations
• Intentionally intercept, record or acquire knowledge of a communication not accessible to the public or of an electronic communication or install devices enabling these actions.
• Intentionally use, possess, reveal, utilise or disclose the contents of communications not accessible to the public or data from a computer system 

As a general rule, any breach will result in Infrabel lodging a complaint.

If the participant requires the assistance of a third party to carry out his/her research, the participant must ensure that the third party has read this policy beforehand and, by offering his/her assistance, agrees to abide by its terms.

Confidentiality

The participant must refrain from sharing, disclosing to third parties or publishing any information about the security flaw that he or she has discovered, whether this is before or after informing Infrabel, including after the discovered flaw has been resolved.

Similarly, it is not permitted to reveal or disclose computer data, communications data or personal data to third parties.

Performance in good faith

Infrabel undertakes to implement this policy in good faith and not to bring any civil or criminal proceedings against the participant who shall comply with its conditions.

The participant must have no fraudulent intent, no intention to harm, no desire to use or cause damage to the accessed system or its data.

If there is any doubt about any of the conditions of this policy, the participant must question Infrabel (at the following address: vulnerabilitydisclosure@infrabel.be) and obtain its prior written agreement before acting.

Processing of personal data

The purpose of a coordinated vulnerability disclosure policy is not to intentionally process personal data, although the participant may have to process personal data (for example, an e-mail address, identification number, online identifier, IP address or location data), even incidentally, as part of its searches for vulnerabilities.

Where such data is processed, the participant undertakes to comply with the legal obligations relating to the protection of personal data[1] and the terms of this policy, in particular:

• The participant undertakes to process personal data exclusively for the purpose of searching for vulnerabilities in Infrabel's networks and information systems covered by this policy. Personal data may not be processed for any other purpose.
• The participant undertakes to limit the processing of personal data to what is necessary for the purpose of searching for vulnerabilities.
• The participant implements appropriate technical and organisational measures to guarantee a level of security appropriate to the risk (for example, encryption).
• The participant undertakes to inform Infrabel (at the following address: vulnerabilitydisclosure@infrabel.be), as soon as possible after becoming aware of any possible breach[2] of personal data.
• The participant may not keep any personal data that it has processed for any longer than necessary. During this period, the participant must ensure that this data is stored with a level of security appropriate to the risks involved (preferably encrypted). Once the security flaw has been reported to Infrabel, as provided for in this policy, this data must be immediately and permanently deleted.

The participant may work with a third party to carry out his/her research. The participant must ensure that he or she has read this policy in advance and, by offering his/her assistance, agrees to abide by its terms, including confidentiality and the implementation of appropriate security measures. The participant acknowledges that he/she remains fully liable to Infrabel if the third party he/she has engaged does not fulfil its obligations in terms of confidentiality and data protection. 

---------------------

[1] European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR General Data Protection Regulation).

[2] A "personal data breach" is a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data. 

Contact person

You must send the information discovered exclusively to the following e-mail address:

vulnerabilitydisclosure@infrabel.be

We invite you to use the following secure means of communication:

Pretty Good Privacy (PGP) with the following Key ID

Information to be sent

As soon as possible after the discovery of the security flaw, send us information about your findings.

 Please provide enough information to enable Infrabel to reproduce the problem and resolve it as quickly as possible. 

We ask you to provide us with at least the following relevant information:

•  Surname
• First name
• E-mail address / Telephone number
• Description of the vulnerability
• Type of vulnerability
• Configuration details
• Operating system
• Operations carried out (logs)
• Tools used
• Test dates and times
• IP address or URL of the affected system
• Where personal data is processed: types of personal data accessible / categories of data subjects / data processing carried out by the participant
• Any other relevant information / Appendices (screenshots)

We invite you to submit your information in French, Dutch or English.

Discovery

When a participant discovers information relating to a potential vulnerability, he/she must, wherever possible, carry out prior checks to confirm the existence of the vulnerability and identify any risks involved.

Reporting

The participant undertakes to notify Infrabel of technical information about any vulnerabilities as soon as possible (exclusively to the following address: vulnerabilitydisclosure@infrabel.be). The participant must observe the secure means of communication designated by Infrabel.

When it receives a report, Infrabel undertakes to send the participant, as soon as possible, an acknowledgement of receipt and what the next steps in the procedure are.

Communication

Infrabel and the participant undertake to do their utmost to ensure continuous and effective communication. The information provided by the participant may prove to be very useful in identifying the vulnerability and finding a solution.

Investigation

The investigation phase enables Infrabel to reproduce the environment and behaviour reported in order to verify the information communicated.

Infrabel undertakes to keep the participant regularly informed of the results of investigations and the action taken in response to his/her report.

During this process, Infrabel and the participant will ensure that the link is made with similar or related notifications, will assess the risk and the seriousness of the vulnerability, and identify any other systems that may be affected.

Development of a solution

The aim of this policy is to enable the development of a solution to eliminate the vulnerability of the computer system, before any damage is caused.

Taking into account the state of knowledge, the costs of implementation, the seriousness of the risks involved and any technical constraints, Infrabel will try to develop a solution within no longer than 90 calendar days.

Possible public disclosure

Infrabel will decide, after informing the participant, how to make possibly public the existence of the vulnerability. This public disclosure should be made at the earliest at the same time as the deployment of a solution and the distribution of a security alert to users.

In the event of a vulnerability that also affects other organisations, Infrabel will, in any case, inform the Centre for Cybersecurity Belgium, even if it does not wish the vulnerability to be disclosed publicly.

Any disputes arising from the application of this policy shall be governed by Belgian law.

The policy rules apply as from 2 may 2024 until they are amended or deleted by Infrabel. These modifications or deletions will be published on the Infrabel website and will apply automatically 30 days after publication.