At Closure, the security of our systems and the privacy of our users are top priorities. We greatly appreciate the efforts of ethical hackers and security researchers who help us keep our platform safe.
No matter how much care we take to secure our systems, vulnerabilities may still exist. If you discover one, we ask that you inform us as soon as possible so we can take appropriate action. Please follow the guidelines below to help us protect our users and systems responsibly.
For more information about our security practices, please visit our Trust Platform.
How to Report a Vulnerability
Please report any suspected vulnerabilities by email to:
📧 security@closure.nl
When submitting your report, please include:
- A detailed description of the vulnerability
- The URL, IP address, or system affected
- Steps to reproduce the issue (proof-of-concept preferred)
- Any relevant technical details, screenshots, or logs
We ask that you do not publicly disclose the issue until it has been resolved.
Do's
- Report the vulnerability as quickly as reasonably possible.
- Report in a confidential manner, ensuring the information is not shared publicly before resolution.
- Provide enough detail for us to reproduce and assess the issue.
- Use test accounts and sample data only when conducting research.
Don'ts
- Do not share details of the vulnerability with others before it has been resolved.
- Do not access, copy, modify, or delete data.
- Do not exploit the vulnerability beyond what is necessary to prove its existence.
- Do not perform actions that could disrupt our services, such as:
- Brute-force attacks
- Denial of Service (DoS)
- Social engineering
- Spam or phishing
- Physical security attacks
What You Can Expect from Us
- We will acknowledge your report within 5 business days.
- We will keep you informed of our progress as we resolve the issue.
- If you follow the guidelines in this policy, we will not take legal action against you for your responsible disclosure.
Bug Bounty
Closure appreciates your help in keeping our systems secure. Depending on the severity and impact of the reported vulnerability, we may offer a monetary reward (bug bounty) as a token of appreciation.
- Typical rewards range from €30 for low-severity issues up to €300 for critical vulnerabilities.
- The specific reward amount is determined at our discretion based on the impact, exploitability, and quality of the report.
We will not issue a bounty for vulnerabilities that:
- Were found through non-compliant or unethical testing methods
- Are already known to us
- Cannot be proven to be exploitable
- Are unconfirmed reports from automated scanners
- Are related to rate limits, brute-force, or version disclosure ("banner grabbing")
- Affect systems or services that are out of scope
Out of Scope
The following are out of scope and not eligible for a bounty:
- Third-party platforms or systems not operated by Closure BV
- Marketing or informational websites without user data
- Denial of Service (DoS) or spam-related vulnerabilities
- Physical security vulnerabilities
- Issues requiring access to our internal corporate network
Legal Safe Harbor
If you act in good faith and follow this policy:
- Your actions will be considered authorized under applicable law.
- Closure BV will not pursue legal action related to your report.
- We welcome your contribution to improving the security of our systems.
Thank you for helping us keep Closure secure.
You can find more about our security and compliance program at trust.closure.nl