Details

Responsible Disclosure – Van Lanschot Kempen

Van Lanschot Kempen considers the security of its systems a top priority. If you identify a weakness, we request that you report it to us responsibly.

Who can report

Any individual who discovers a vulnerability within our systems may submit a report.

Scope

The responsible disclosure programme applies only to the following domains, including all subdomains:

*.evivanlanschot.nl
*.merciervanlanschot.be
*.vanlanschot.be
*.vanlanschot.com
*.vanlanschot.nl
*.vanlanschotkempen.com
*.vanlanschotkempen.nl
*.vlkdigital.com

Reportable vulnerabilities

Reports may concern security issues related to the services Van Lanschot Kempen provides online. Examples include:

Remote Code Execution
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
SQL Injection
Encryption weaknesses
Unauthorized access to data

Exclusions

The following are outside the scope of this programme:

Reports lacking sufficient evidence of exploitability
Submissions generated or authored by AI tools
SPF/DKIM/DMARC-related issues
Disclosure of version banners or fingerprinting of common/public services
Publicly accessible non-sensitive files and directories (e.g., robots.txt)
Autocomplete or “save password” functions
CSRF on static pages or logout functions
Brute force attempts on password reset pages
Missing HTTP security headers (HSTS, CSP, etc.)
Non-sensitive cookie flags
Clickjacking
User enumeration on non-payment websites
Outdated software without verified vulnerability or proof of exploitation
TLS/SSL configuration weaknesses without proven impact
Vulnerabilities beyond the control of Van Lanschot Kempen
Denial-of-Service (DoS/DDoS) attacks
Spam, phishing, or social engineering techniques
Automated scanning reports

Exclusion of AI-generated reports

Reports must be the result of direct human investigation and analysis. Submissions that are wholly or partially produced, written, or generated by artificial intelligence tools or automated systems will not be accepted. This requirement ensures that all reported vulnerabilities are based on verifiable, practical research and not automated or speculative output.

Reporting procedure

Reports must be submitted by email to:
[email protected]

A report should contain:

A detailed description of the vulnerability
Steps to reproduce the issue
Any relevant technical details or proof of concept

Reports may be submitted anonymously.

Handling of reports

Reports will be reviewed by a security team. An initial response will be provided within two working days. During this period, the reporter is expected to keep the information confidential and cooperate with Van Lanschot Kempen until a resolution is reached. The reporter will be informed of the assessment and any follow-up actions.

Rewards

Van Lanschot Kempen may, at its discretion, grant a reward for a report that results in an improvement or resolution. To receive a reward, the reporter must provide personal details for processing. Anonymous reports are accepted but cannot be rewarded.

Rules of conduct

To ensure lawful and responsible reporting, the following rules must be observed:

Do not cause damage or disrupt services.
Do not access, alter, copy, or delete more data than is strictly necessary.
Do not install backdoors or create persistent access.
Limit actions to those required to demonstrate the vulnerability.
Do not use automated vulnerability scanners.
Do not attempt brute force or social engineering techniques.
Do not share or reuse access once obtained.
Only the first reporter of a vulnerability is eligible for a reward.

Misuse of contact address

The responsible disclosure address may not be used for:

General service complaints
Fraud or phishing reports
Malware or virus reports
Questions regarding ATM or internet service availability
Sales or marketing activities

Privacy

Reporters may remain anonymous or provide personal contact details. Van Lanschot Kempen will not disclose the reporter’s identity without consent unless legally required. Personal data will be processed solely for the purpose of handling the report, in line with the Personal Data Protection Act (WBP).

Applicable law

All matters related to responsible disclosure are governed by Dutch law. Reports must be submitted in Dutch or English.

Exclusions

The following are outside the scope of this programme:

Reports lacking sufficient evidence of exploitability

Submissions generated or authored by AI tools

SPF/DKIM/DMARC-related issues

Disclosure of version banners or fingerprinting of common/public services

Publicly accessible non-sensitive files and directories (e.g., robots.txt)

Autocomplete or “save password” functions

CSRF on static pages or logout functions

Brute force attempts on password reset pages

Missing HTTP security headers (HSTS, CSP, etc.)

Non-sensitive cookie flags

Clickjacking

User enumeration on non-payment websites

Outdated software without verified vulnerability or proof of exploitation

TLS/SSL configuration weaknesses without proven impact

Vulnerabilities beyond the control of Van Lanschot Kempen

Denial-of-Service (DoS/DDoS) attacks

Spam, phishing, or social engineering techniques

Automated scanning reports

Exclusion of AI-generated reports

Handling of reports

Rules of conduct

To ensure lawful and responsible reporting, the following rules must be observed:

Do not cause damage or disrupt services.

Do not access, alter, copy, or delete more data than is strictly necessary.

Do not install backdoors or create persistent access.

Limit actions to those required to demonstrate the vulnerability.

Do not use automated vulnerability scanners.

Do not attempt brute force or social engineering techniques.

Do not share or reuse access once obtained.

Only the first reporter of a vulnerability is eligible for a reward.

Privacy