Responsible Disclosure Policy

Version: 12-09-2025

What?

At Harmony, the protection of customer data is our top priority. That's why we work continuously on the availability and security of our systems, our network and our products. Despite our care for securing our systems, they may still contain vulnerabilities.

Are you an information security specialist and have you discovered a vulnerability? Please report this to us so that we can take appropriate measures. We would be happy to work with you!

At Harmony, the protection of customer data is our top priority. That's why we work continuously on the availability and security of our systems, our network and our products. Despite our care for securing our systems, they may still contain vulnerabilities.

If you are an expert in information security and have discovered a potential vulnerability, please report this to us so that we can quickly take appropriate measures. We are happy to work with you to better protect our customers and our systems.

Our Responsible Disclosure policy (hereafter RD policy) is not an invitation to actively scan our corporate network for weak spots. We have taken measures for this ourselves. Should you do this anyway, there is a strong likelihood that our Security Operations Centre (SOC) will investigate this.

1. Making a Report

Have you found a vulnerability? Please send your findings to: security@harmonygroup.eu

After receiving your report, it will be handled as follows:

  • You will receive an acknowledgement of receipt within three working days of the report.
  • Within five working days of the acknowledgement of receipt, you will receive a response containing an assessment of the report and the expected resolution date. We strive to keep you informed about progress in the interim.
  • Harmony treats your report confidentially and will not share your details with third parties without your consent, except where legally required or by court order.
  • We will determine together with you whether and how to report on the identified problem. Reporting will only take place after the problem has been resolved. In reporting on the identified problem, Harmony will, if desired, mention your name as the discoverer.
  • To report a vulnerability, you may share personal data with Harmony. Harmony will not retain this data longer than necessary for this specific purpose and will delete it no later than one month after resolution of the problem.

Rules of Engagement

During your research, you may perform actions that are criminal offences. If this happens in good faith and with good intentions, Harmony has no reason to file a criminal complaint or submit a damage claim.

We therefore ask you to follow the rules below and act responsibly:

  • Do not share the discovered problem with others until it has been resolved. Delete all confidential data obtained via the vulnerability immediately after the vulnerability has been resolved.
  • Provide us with as complete information as possible about how and when the vulnerability occurs. Clearly describe how this problem can be reproduced and provide information about the method used and the time of investigation.
  • Handle knowledge about the security problem responsibly.
  • Do not perform actions that go beyond what is necessary to demonstrate the security problem.
  • Do not abuse the vulnerability and do not store confidential data obtained via the vulnerability in the system.
  • Do not abuse the vulnerability by, for example, downloading more data than necessary or viewing, deleting or modifying third-party data.
  • Share your contact details (email address or telephone number) with us so that Harmony can contact you regarding the assessment and progress of resolving the vulnerability.
  • Do not make system changes.
  • Do not use social engineering to gain access to a system.
  • Do not attempt to access the system more often than necessary.
  • Do not use brute force techniques to gain access to the systems.
  • Secure your own system as well as possible.

What You Cannot Report

The email address in this RD policy is not intended for:

  • reporting that our website or one of our services is unavailable.
  • reporting complaints.
  • reporting fake emails (phishing).
  • reporting HTTP security headers related matters, for example:
    • Strict-Transport-Security
    • X-XSS-Protection
    • Content-Security-Policy
  • reporting cache purge possibilities.
  • reporting visibility of Google API keys.

Harmony employees and those of affiliated companies follow the existing internal incident procedure for reporting vulnerabilities.

This policy is based on the Responsible Disclosure Guidelines as drawn up by the NCSC of the Ministry of Security and Justice.

Last amendment to Responsible Disclosure policy: September 2025

We help companies grow through digital transformationwith business consultancy and IT solutions.

Our products
Business Next StepMuleSoftOutSystemsCustomerConnect
Our services
Business ConsultancyBusiness Architecture24/7 Servicedesk
Learn more
Book a demoBlog
Our products
ContactWorking @ HarmonyNetherlands - Belgium - Bosnia
Follow us:
Responsible DisclosurePrivacy Policies