Skip to Content

Responsible Disclosure Policy

Last review: April 16, 2026

IntroductionScopeAudienceProtocol

Introduction

At Comoo, the security of our systems is very important to us. Despite our care for the security of our systems, it is always possible that there is a vulnerability in our platforms or systems.If you suspect or have found a vulnerability or security flaw in one of our systems, whether physical or digital, please let us know so that we can take security measures as soon as possible. We would like to work with you to better protect our systems, our customers and our ecosystem.


Scope

This policy applies to all interested parties and stakeholders of Comoo for any Comoo services and platforms.


Audience

We request the cooperation of the audiences in scope, including, but not limited to:
  • Website Visitors,
  • Physical visitors on Comoo premises,
  • Employees and staff,
  • Customers,
  • Contractors and partners,
  • Prospects,


Protocol

We ask you:

  • ​Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
  • Encrypt your findings with our PGP key (https://www.Comoo.be/public_key.zip) to prevent the information from falling into the wrong hands,
  • Email your findings to security@Comoo.be.


Please refrain from:

  • Abusing the problem by, for example, downloading more data than is necessary to demonstrate the leak or to view, delete or modify data from third parties,
  • Sharing the problem with others until it is resolved, and to erase all confidential data obtained through the leak immediately after closing the leak,
  • Attacks on physical security, social engineering, distributed denial of service, spam or third-party applications, and damaging our platforms in anyway, or impacting the performance of these systems.


Please be aware:

There is a legal protocol to be followed (see legal reference below).

Any illegal access to our system, can and will be prosecuted to the maximum extent if this regulatory protocol is disregarded.

 

What we promise:

  • We will respond to your report as soon as possible, maximum within 5 working days, with our initial assessment of the report and an expected date for resolution,
  • If you have complied with the above conditions and the legal conditions by cyberlaw, we will not take any legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal data with third parties without your permission unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible,
  • We will keep you informed of the progress of solving the problem,
  • In notifying you of the reported problem, we will, if you wish, mention your name as the discoverer, and
  • Depending the severity Comoo might consider an award, but this will be evaluated case by case and on the sole discretion of Comoo. There will be no negotiations on the rewarding.


Publication of the resolution

  • Only Comoo decides on any public or official communication and publication on these vulnerabilities.
  • No publication is allowed without agreement and validation by Comoo.

 

Courtesy

This responsible disclosure policy is based on the open source project based on the Creative Commons v3 license v3: https://responsibledisclosure.nl/.


Legal reference

Please be aware that the reporting of any digital vulnerability is bound to legislation.

As Comoo HQ is located in Belgium, the Belgian law on vulnerability disclosure applies.

In short (quote from the website of CCB):

  • You must limit yourself strictly to the facts necessary to report a vulnerability. Thus, you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability.
  • You must act without fraudulent intent or design to harm.
  • As soon as possible after the discovery of the potential vulnerability (and at the latest at the time of reporting to the national CSIRT), you must inform the organisation responsible for the system, process or control of the vulnerability.
  • You must as soon as possible report the discovered vulnerability to the CCB (in the absence of a CVDP), in writing and according to the procedures described in point D of the CCB policy.
  • ​You must not publicly disclose information about the discovered vulnerability without the agreement of the national CSIRT (CCB).

More information: https://ccb.belgium.be/en/vulnerability-reporting-ccb.


General company info

https://www.comoo.be/

Contact: https://www.Comoo.be/contactus

 

Company registration (HQ, Belgium): BE725.425.683

Comoo HQ

Administrative Address: Waterloolaan 77 / W6.03 1000 Brussel

Operational HQ: Schaarbeeklei 485, 1800 Vilvoorde

Phone: +32 2 255 82 20

Email: security@comoo.be