Responsible disclosure

Let us know! The safety of your client information is extremely important to us. That is why we strive continuously to keep our services secure. Nevertheless, sometimes something can go wrong. We appreciate it if you let us know, so that we can take measures. In this way, we work together to improve the security of our data and systems.

You can report vulnerabilities in our services, such as:

• Cross-Site Scripting (XSS) vulnerabilities.
• SQL injection vulnerabilities.
• Weak spots in the set-up of secured connections.
• Please explain the problem in as clear and complete a manner as possible.

If the vulnerability has a low or accepted risk, Achmea may decide not to give a reward for its disclosure. Examples of these vulnerabilities are listed below:

• HTTP 404 codes or other non-HTTP 200 codes
• Run-on type inserted in 404-page
• Version banners on public services
• Files and folders accessible to the public with non-sensitive information
• Click jacking on pages without log-in function
• Cross-site request forgery (CSRF) on forms accessible anonymously
• Absence of ‘secure’ / ‘HTTP Only’ flags on non-sensitive cookies
• Use of HTTP OPTIONS Method
• Host Header Injection
• Absence of SPF, DKIM and DMARC records
• Absence of DNSSEC

The absence of one or several of the following HTTP Security Headers:

• Strict-Transport Security (HSTS)
• HTTP Public Key Pinning (HPKP)
• Content-Security Policy (CSP)
• X-Content-Type Options
• X-Frame Options
• X-Web Kit CSP
• X-XSS Protection

Achmea developed an online form with which you can pass on a vulnerability. Could you explain the vulnerability as clearly and completely as possible? You can also do this anonymous.

We would like to ask you to only share the problem with Achmea's experts and to refrain from making it public. In this way, we can keep our clients' data safe. We appreciate it if you give us time to solve the problem.

When you investigate a vulnerability, please do not damage the software. You are not permitted to disclose information to anyone except Achmea. Moreover, it is not allowed to interrupt our services deliberately because you are investigating a problem.

It is possible that you do something which is illegitimate in your investigation. If you are acting in good faith, with due care and in accordance with the rules below, you will not be prosecuted.

We would like to ask you:

• to describe clearly with your report how it is possible to abuse the security problem. You can use screenshots, for example, or give a step-by-step explanation.
• to not use any social engineering to get access to our systems.
• to not insert a back door in an information system to show the weak spot.
• to only do what is strictly necessary to show the vulnerability.
• to not copy, change or delete data. Send us only (minimal) information which you need to demonstrate the problem. Make a directory listing, for example, or a screenshot.
• to minimise any attempts to gain access to the system and to not disclose any information about access gained to third parties.
• to not use any ‘brute force attacks’ to enter our systems.
• to submit only one security problem with each report.
• to reply if we need extra information about the problem you have found; to never contact Achmea’s staff directly or through any channels other than the form.

• On receipt of your report through the web form, you will automatically receive a confirmation of receipt. You will hear within 3 working days what we will do with your report.
• If the security problem is serious, you will be rewarded appropriately as a token of our gratitude. Your reward will be based on the risk and the impact of the security problem and may vary from a T-shirt to a maximum amount of EUR 300 in gift vouchers. Please note: this must then concern an unknown and serious security problem.
• We will only use your contact details to communicate with your about your report. We will not share these with third parties, except if we are obliged to do so by law. For example, if we are asked to do so by judicial authorities or if we regard your action as a criminal offence (and you have therefore not acted in good faith) and report this to the police.

If you have reported the problem anonymously, we will be unable to keep you informed. In that case, we will not be able to give you a reward either.

This Responsible Disclosure Scheme is neither meant for lodging complaints, nor must it be used for reporting:

• that the website is not available
• fraud
• fake emails (phishing emails)
• viruses

Report a vulnerability by filling in the form at the bottom of the page.

• Based on the risk of the security problem, Achmea will determine your reward. Please note: if your report does not concern a security risk or is low-risk, it is possible that no reward is given.
• If double reports are received about a specific security problem, the reward will be given to the person who first reported this security problem. Achmea will decide whether or not there was a double report and will not disclose any information about the content of the reports concerned.
• A reward will be given to one person only.
• If a reward is given, we will publish the name of the person who reported the problem, after consultation with and with the permission of this person, in a Hall of Fame on achmea.nl. We reserve all rights to limit the information on the list.
• We aim to give similar rewards for similar security problems. The rewards and any eligible security problems may change, however. Rewards offered in the past do not guarantee any similar results in the future.

The following brands are covered by this programme:

• Achmea
• Avéro Achmea
• Centraal Beheer
• De Friesland Zorgverzekeraar
• Eurocross
• FBTO
• Interpolis
• ProLife
• Woonfonds
• Zilveren Kruis

The following subsidiaries are covered by this programme:

• Achmea Australia
• Eureko Sigorta
• Interamerican
• Onlia
• Union

The following initiatives are covered by this programme:

• Actify
• Automodus
• RoadGuard