Responsible Disclosure

At For-Motion e-Mobiliteit B.V. we attach great value to the security of our systems and the protection of our customers' data. Despite all care, a vulnerability may still exist. If you discover a security vulnerability, we kindly request you to report this to us as soon as possible, so that we can take the necessary measures.

Scope

This policy applies to vulnerabilities you discover in any service managed by For-Motion e-Mobiliteit B.V., including <1>for-motion.nl and all subdomains.

Reporting Guidelines

• Send your findings to <1>info@for-motion.nl and provide sufficient information to reproduce the problem.
• Do not abuse the vulnerability and do not modify, delete or view data that is not yours.
• Do not use automated scanners that may affect the availability of our services.
• Give us a reasonable period (minimum 30 days) to investigate and resolve the problem before disclosing it publicly.
• Do not share the information with third parties without our express permission.

What we promise

• We respond within 5 working days to your report and keep you informed of progress.
• Your report will be treated confidentially and we will not share your personal data with third parties without permission.
• If you follow these guidelines, we will not take legal action against you.
• Where possible, we offer recognition or a small token of appreciation as thanks for your responsible disclosure.

Out-of-scope findings

The following are generally out of scope for this policy:

• Denial-of-Service (DoS) or rate-limiting issues.
• Reports about outdated browser versions.
• Missing security headers that do not lead to a direct vulnerability.
• Self-XSS or social engineering attacks.

Credits

With your permission we will list your name in our Hall of Fame once the vulnerability has been resolved.

This Responsible Disclosure policy was last updated on 2 May 2025.