Responsible disclosure

Conditions of use

SNCB attaches great importance to the security of its networks and information systems, in particular by ensuring the protection of customer data. Despite all the security measures that are taken, it cannot be ruled out that there are still vulnerabilities in the system which could be misused. If you determine a security issue in our networks and/or systems, we provide the possibility of warning us of this matter in a sensible way, in order to solve the issue quickly. To ensure that this process is conducted in an organized and secure manner, we request you to adhere to the following rules.

What to do when you determine a security problem?

Report the issue by sending an email to disclosure@b-rail.be.

The following rules apply to the reporting:

• Write your message in Dutch, French or English.
• Explain the issue completely and in detail. In your description or in the annexes, mention all information or examples that are available to you: IP addresses, logs, screenshots, related URLs, etc. It is important that we are able to retrieve the vulnerability in order to fix it.
• It is possible we contact you to request additional information. If you wish to remain anonymous, this is also possible. In this case, use an anonymous email forwarding service (e.g. trashmail.com, …).
• Do not disclose any information concerning the lack of security through other channels.  Do not share information concerning the vulnerability with third parties, including before or after informing SNCB about the issue, or after it has been resolved. Such behaviour could be considered as irresponsible, and civil law proceedings may be instituted against you.
• Do not misuse the vulnerability found. Only collect the data necessary to inform us of the issue.
• Do not change or remove any system data or parameters. In general, please ensure that you do not interfere with the effective functioning of our systems. Burglary techniques such as DoS or DDoS attacks, the installation of malware or viruses, brute force password guessing (stealing passwords using a large amount of processing power), theft of passwords, scanning of our systems, phishing, etc., but also social engineering attacks and all infringements in general will be considered targeted attacks and civil law proceedings may be instituted against you. If a test needs to be conducted, we shall do it ourselves.

Which issues can be reported using this channel?

• You can report vulnerabilities in our security. It concerns any vulnerability, which could be misused for illicit purposes, that can be found on one of our websites:
  
  • www.nmbs.be; www.sncb.be; www.belgianrail.be; www.b-rail.be;
  • www.b-europe.be; www.b-europe.com;
  • www.nmbs.tv;
  • www.trainworld.be
• Our mobile and web applications
• Our networks and information systems

Which issues cannot be reported using this channel?

• Questions and complaints regarding the products and services of SNCB.
• Questions about the use of your passwords.
• Questions about spam or phishing (attempts).

For these questions, please contact our SNCB customer service.

What will happen with your report?

• We will give you an answer within two weeks.
• We will contact you again if we need any additional information.
• We make every effort to solve the issue quickly and efficiently.
• We will inform you as soon as the issue has been solved.
• If your actions meet the above criteria, we will not bring any legal proceedings against you.