Responsible disclosure · Interchange

Interchange takes the security of our services and data seriously. If you believe you have found a vulnerability, please follow this process so we can investigate and remediate responsibly.

Scope

This policy applies to systems and domains operated by Interchange for its own business (for example interchange.nl and related infrastructure we control). Customer environments are governed by separate agreements. Please report issues in those systems through the appropriate customer channel unless we have agreed otherwise in writing.

How to report

Send a detailed report to security@interchange.nl. Include steps to reproduce, affected URLs or components, and the potential impact. Encrypt sensitive material if needed (we can provide a PGP key on request).

What we ask

Give us reasonable time to investigate and fix before public disclosure.
Do not access, modify, or destroy data that is not yours; use test accounts where possible.
Do not perform denial of service attacks or social engineering against our staff or users.

What you can expect

We aim to acknowledge receipt within a few business days and to keep you informed of material progress. We do not operate a public bug bounty programme; recognition is handled case by case.

This page is provided for guidance and may be updated. It does not waive any rights or create contractual obligations beyond applicable law.