At Solvay we take the security of systems and data very seriously. We recognize the importance of security researchers and members of the community in helping us identify and mitigate potential vulnerabilities.
This policy sets the rules of engagement for ethical security researchers, also called “the participant” hereafter, to identify and submit information on security vulnerabilities.
Systems that are dependent on third parties are excluded from the scope of this policy, unless the third party explicitly agrees to these rules in advance.
Mutual obligations of the parties
1: Proportionality
The participant undertakes to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to make use of the vulnerability beyond what is strictly necessary to demonstrate the security flaw.
2: Actions that are NOT allowed
- copying or altering data from the IT system or deleting data from that system;
- changing the IT system parameters;
- installing malware: viruses, worms, Trojan horses, etc.;
- Denial of Service (DOS) attacks;
- Distributed Denial of Service (DDOS) attacks;
- Repeatedly accessing the system or sharing access with others.
- Using automated scanning tools.
- social engineering attacks;
- physical testing (e.g. office access, open doors, tailgating)
- phishing attacks;
- spamming;
- stealing passwords or brute force attacks;
- installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;
- the deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an IT system where the participant should reasonably have known it had been obtained unlawfully.
If the participant wishes to use the assistance of a third party to carry out his or her research, the participant must ensure that the third party is aware of this policy and agrees, by offering assistance, to abide by its terms.
3: Confidentiality
The participant must strictly refrain from sharing or disclosing any information collected under our policy with third parties without our prior and explicit consent. (e.g. Reddit, social media …)
Similarly, it is not permitted to reveal or disclose computer data, communication data or personal data to third parties.
4: Bonafide execution
Solvay undertakes to implement this policy in good faith and not to take legal action, either civil or criminal, against a participant who complies with its conditions.
The participant must be free of fraudulent intent, intent to harm, intent to use or intent to cause damage to the visited system or its data. This also applies to third-party systems located in Belgium or abroad.
If there is any doubt about any of the conditions of our policy, the participant must first ask our contact point and obtain its written consent before acting.
5: Processing of personal data
While the policy does not aim to intentionally process personal data, participants may incidentally encounter such data during their research. They must handle such data in accordance with legal requirements, limiting processing to what is necessary for vulnerability scanning and ensuring appropriate security measures.
6: Reward and Recognition
Solvay does not grant monetary rewards or compensation for vulnerability reports. However, we value the contribution to our security efforts and will acknowledge researchers efforts publicly, unless requested otherwise.
Any request for a reward outside the conditions defined by this policy may thus be considered as an illicit attempt at extortion.
Procedure
You should only send the information found to vulnerability.policy@solvay.com.
Upon discovery, the participant undertakes to notify, as soon as possible, technical information on possible vulnerabilities to Solvay as per the point 3 of this policy.
Solvay will acknowledge receipt and proceed with investigation, solution development, and possible public disclosure in coordination with the participant.
Application Law
Belgian law is applicable to any disputes arising from the application of this policy.
Duration
The rules of the policy are applicable from 2024-03-21 until they are modified or deleted by Solvay. Such changes or deletions will be published on Solvay's website and will apply automatically after a period of 30 days following their publication.