Contact the following healthcare facilities directly:
MS Center Melsbroek
AZ Turnhout
Sint-Trudo Sint-Truiden
AZ Glorieux Ronse
AZ Jan Portaels Vilvoorde
Rehabilitation Hospital Inkendaal
Nexuzhealth Coordinated Vulnerability Disclosure Policy
At Nexuzhealth, we consider the security of our systems, our network and our products, a top priority. Despite our best efforts, it might be that some vulnerabilities are still present in our systems and processes.
In close cooperation with Intigriti, we opted for a public Bug Bounty program and a public Responsible Disclosure program where anyone can report discovered vulnerabilities. By engaging in any activities covered by this policy, you accept the provisions of this policy will apply to your relationship with us.
The information on this page is intended for anyone who discovers a vulnerability, to inform them about how security vulnerabilities should be reported to the Nexuzhealth security team. If you are a customer and have a question about security, please contact us through the service desk.
Programs
We opted for a public Bug Bounty program and a public Responsible Disclosure program.
Snelle links:
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research to be authorized, lawful, and helpful to the overall security, and conducted in good faith. You are expected to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our official channel (see below)l before going any further.
Nexuzhealth commits to act in good faith by not pursuing any legal action against you if you complied with the terms in this Responsible Disclosure Policy
Rules
To avoid any confusion between good-faith hacking and malicious attacks, you warrant that you will respect the following principles:
- perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- avoid privacy violations, destruction of data, and interruption or degradation of our service; you shall only act in good faith which means the purpose of your research is not to permit deliberate access to the content of IT, communication or personal data. Such access only occurs accidentally and occasionally in the context of detecting vulnerabilities in the IT systems concerned;
- do not copy our data, unless to the extent strictly necessary to perform your investigation, after which this data should be destroyed permanently;
- do not attempt to execute Denial of Service attacks
- social engineering is prohibited;
- do not share any gained access or data with any others.
Disclosure
You are not allowed to publicly discuss or publish any vulnerability before it has been fixed and you have received explicit permission from us to do so.
Rewards
There is a public bug bounty program available for Nexuzhealth at Intigriti.com/programs. However, note that our bug bounty program has a specific scope: not all reported vulnerabilities are eligible for a bounty (see ‘Out of Scope’).
Rewards differ according to impact. More information can be found on the Intigriti website.
We do not offer bounties for Responsible Disclosure reports. However, if you report via our Nexuzhealth Responsible Disclosure program on Intigriti, as a small token of appreciation for all researchers that submit a previously unknown vulnerability, we will offer a place in our Security Hall of Fame.
You will not be eligible for a reward if you are or were an employee or contractor of Nexuzhealth, UZLeuven or Cegeka.
Reporting & Contact
If you believe you have found a vulnerability with regard to our systems, you should inform us of your findings through Nexuzhealth’s programs via our coordinator, namely the Intigriti website. On the Intigriti platform, you will be able to report a vulnerability.
- Our security team will review your submission with appropriate priority after triage by Intigriti.
- You shall inform us without undue delay and solely inform us via the Intigriti platform.
To avoid a disappointing experience when contacting us, please take a moment and consider if the issue you want to report actually has a realistic attack scenario.
Scope
There is a public bug bounty program available for Nexuzhealth at Intigriti.com/programs. However, note that our bug bounty program has a specific scope: not all reported vulnerabilities are eligible for a bounty (see ‘Out of Scope’).
Rewards differ according to impact. More information can be found on the Intigriti website.
We ask you to not submit issues regarding:
- theoretical vulnerabilities without any proof of the real presence of the vulnerability;
- automated tools findings without providing a Proof of Concept;
- missing or weak security related HTTP-headers;
- non-sensitive data disclosure;
- any issues without showing an attack vector;
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions;
- expired SSL certificates
- clickjacking;
- Denial of Service
- …
Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
When duplicates occur, we will only accept the first report. A duplicate is a vulnerability that we are already aware of, regardless of how we first became aware of it (it could have also been discovered by us internally).
Applicable law
If a dispute arises concerning this policy and an amicable settlement cannot be agreed upon, the dispute will be subject to Belgian law.
Contact
Contact us at security@nexuzhealth.com if you have any questions about this policy or if you are facing issues sending us your findings via the Intigriti platform.
Please do not use this email address to inform us of any discovered vulnerability.
We are here for you
Contact us
We’re here to help. Reach out via our service desk or call us for urgent questions. We’re available on weekdays from 8:00 AM to 5:00 PM.
Questions about your medical record? Contact your healthcare provider or hospital.
