KLM Coordinated Vulnerability Disclosure

At KLM, we prioritise the security of our systems and data. But no matter how much effort we put in, there will still be vulnerabilities. We ask your help to protect our systems and data better. If you discover a vulnerability, we want you to tell us about it first so we can address it as quickly as possible. This kind of report is called a Coordinated Vulnerability Disclosure, or CVD.

Do's

  • Please submit your findings onZerocopterto tell us about any vulnerabilities you know of. This page also includes information on the areas and vulnerabilities we consider in and out of scope.
  • Report in a manner that safeguards the confidentiality of the report so that others do not gain access to the information.
  • Report the vulnerability as quickly as possible to minimise the risk of threat actors exploiting it.
  • Please provide sufficient information to reproduce and resolve the vulnerability. Usually, the affected system's IP address or URL and a vulnerability description are sufficient. Complex vulnerabilities require further in-depth explanation.

Don'ts

  • Please do not take advantage of the vulnerability you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying our data.
  • Please do not reveal the vulnerability to others until it has been resolved.
  • Please do not use the vulnerability for attacks on physical security, social engineering, distributed denial of service, spam or (web)applications of other parties.
  • Please do not repeatedly access the system or share access with others.
  • Please do not actively perform automated scans on our infrastructure and systems to identify vulnerabilities.
  • Please do not use ‘brute force attack’ techniques to gain access to our systems or data, as this does not qualify as vulnerability.

Our promises

  • We offer a reward for every vulnerability disclosure that is not yet known to us as a token of our gratitude for your assistance. The reward amount will be determined based on the severity of the vulnerability. Payments are made after a report gets the status “resolved”.
  • We will inform you about the progress towards resolving the vulnerability viaZerocopter.
  • We confidently handle your report and will not share your personal details with third parties without your consent unless we are obliged to do so by law or by a court ruling.
  • We will not take legal action if you submit a vulnerability in line with the procedure.