Responsible Disclosure Policy

Background, Scope & Purpose

Club Brugge attaches significant importance to the security of its data (including e.g., player and fan data) and its information systems. Nevertheless, despite our best efforts and concern, it may occur that there still are vulnerabilities that e.g., an ethical hacker or computer scientist may discover.

Club Brugge has therefore opted for this policy of coordinated disclosure of vulnerabilities (also known as the ‘Responsible Disclosure Policy’) so that people that discover a vulnerability can privately and securely inform us about them.

This Responsible Disclosure Policy applies to all Club Brugge information systems.

Policy Requirements

Reporting a vulnerability

Responsible disclosure reveals vulnerabilities in a responsible manner in joint consultation between you and Club Brugge. If you discover a vulnerability in one of our systems, you must:

  1. Report the issue by sending an email to vulnerability-disclosure@clubbrugge.be
    1. Write your message in English, French or Dutch.
    2. Explain the issue and provide sufficient details to allow us to identify and/or reproduce the issue so that we can resolve the problem as quickly as possible.
    3. Provide additional information such as IP addresses, URLs of the affected system, screenshots, etc.
    4. Encrypt the finding with our public PGP key if it contains confidential information (e.g., information about higher risk vulnerabilities) to prevent the information from falling into the wrong hands.
  2. Leave your contact details so Club Brugge can contact you if needed to work together towards a solution.Leave at least your name, e-mail address and/or telephone number. Reporting under a pseudonym is possible, but make sure that we can contact you if we should have additional questions. 

Do’s and Don’ts that apply

Do not disclose any information regarding the security issue through other channels. 

Do not share information concerning the vulnerability with third parties, including before or after informing Club Brugge about the issue or even after it has been resolved. Such behavior will be considered irresponsible and civil law proceedings may be instituted against you. If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.

Do not abuse the vulnerability found. 

Acts under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities, and sharing this information with Club Brugge:

  • Do not take any action that is not absolutely necessary to detect a potential vulnerability or report a vulnerability.
  • Only collect the information necessary to inform us of the issue.
  • Do not copy, delete, view or modify Club Brugge data.

Do not perform actions that could have an impact on the proper functioning of our systems, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data. Therefore, it is e.g., not allowed to perform any of the following actions (non-exhaustive list): placing malware; copying, modifying or deleting data in a system; making changes to the system; using brute-force techniques to access a system; (distributed) denial of service attacks.

Do not use attack methods that test the physical security of our buildings and premises.

Do not use attack methods that target our people (e.g., via phishing and other social engineering methods).

In case of doubt about the applicability of this policy, please contact us first via the above-mentioned e-mail address, to ask for explicit permission.

What we promise

  • We will respond to your report within 10 working days, with our review of the report and any expected date for resolution. We strive to solve all problems within a short period of time.
  • We will contact you again if we need any additional information.
  • We will inform you of the progress of solving the issue identified.
  • We will thank you for any report of a security vulnerability, and if such vulnerability were not yet known to us, we would like to offer you to be listed in our Responsible Disclosure Wall of Fame.
  • We will treat your report confidentially and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation.

Further considerations

We reserve the right to ignore low quality reports, including those that report vulnerabilities that are negligeable in terms of risk.

If you find a vulnerability, but do not follow the responsible disclosure rules set out above, we reserve the right to take action or legal proceedings and/or to report the matter to the police.

We reserve the right to change the content of this Policy at any time or to terminate the Policy.