Responsible disclosure

At LeasePlan, we consider the security of our systems high priority. However, despite the considerable care we take regarding security, we realise that vulnerabilities can and will remain. If you do find such a vulnerability, we would appreciate to be notified as soon as possible so we may take appropriate measures to swiftly remediate.

Please note that our responsible disclosure policy is not an invitation to actively probe our business network / internet facing services to discover vulnerabilities. These probes do generate attention of our security team and might trigger (costly) security investigations.

 

What we request from you:

  • Email your findings to responsible-disclosure@leaseplan.com. Please encrypt your findings using our PGP key to prevent sensitive information from falling into the wrong hands.
  • Do not take advantage of the vulnerability or problem you have discovered.
  • Do not reveal the problem to others until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
  • Do provide adequate information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, although more information might be necessary for more complex vulnerabilities.
 

What we promise to do at LeasePlan Digital

  • Our Digital Security Team will confirm receipt within two business days.
  • We will respond to your report within three business days with our evaluation of the report and an expected resolution date.
  • We will always treat your notification confidentially and will never share your personal data with third parties, except when obliged to do so by law or pursuant to a court ruling.
  • We will keep you informed of the progress towards resolving the problem.
  • We consult you on whether and how the issue is to be made public. We will never do so before the problem has been resolved. If we make the issue public, we will give you credit for identifying it, but only if you wish.
  • As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severtiy of the vulnerability and the quality of the report.

Email your findings

Please encrypt your findings using our PGP key to prevent sensitive information from falling into the wrong hands.

Email us