This article describes the policy as of September 1, 2023 how Invantive will handle security risks and data breaches discovered at 3rd party software providers.
Security Risks and Third Party Data Breaches.
For Invantive, preventing security risks and data breaches is an integral part of our work, both in original development and maintenance for its own products. When in doubt, additional measures are taken.
We regularly discover security risks and data breaches in 3rd party software platforms, such as during the development and maintenance of software that exchanges data with such platforms. Especially since the introduction of the cloud, this has been a regular experience over the past decade, even if security risks and data breaches are not actively sought after.
A security risk is like an unsecured door to data or processes. It means that unauthorized people can gain access to sensitive information, such as sales figures and personal data. A security risk can also allow data to be changed without permission such as a bank account number.
A data breach is like accidentally opening a secret box. Sometimes data can accidentally become visible because of a security problem. This can be simple things like how many ping-pong balls were sold. But it can also be classified information, such as medical records or complete medical files of users’ photos, or bank statements of all users.
Policy
While we are not legally required according to Dutch law to report security risks to regulators or affected software providers, we strive to have a positive impact on society. Reporting security risks and data breaches does not always make sense. We have therefore developed policies to increase social utility without incurring unnecessary costs.
When a potential security risk and/or data breach is identified, we first consider whether the discovery occurred during paid work on behalf of an end customer. If so, we inform them of the situation and leave the decision to them for any follow-up action.
If the discovery occurs during work that Invantive performs on it’s own behalf, the following steps will be followed. Some countries have legislation with more far-reaching restrictions and obligations than the Netherlands. If the software provider falls under such legislation, any analysis will be stopped as early as possible so that this legislation does not apply. An initial notification to the software provider will only occur if a valid and usable security.txt file (RFC 9116) is present on the website. Any subsequent notifications occur if the initial notification is handled carefully in relation to the impact and severity of the security risk or data breach.
In all other cases, security threats and data breaches are not reported.
Our commitment to transparency means that the Invantive software displays data raw, without corrections to hide any security risks or data breaches. We take an open approach, even in cases where this could expose a security risk or data breach. As an example, when a table contains unencrypted passwords, these passwords will not be masked or encrypted.
Security risks and data breaches at Invantive
We strive to create a secure digital environment for everyone. If you suspect a security risk or data breach when using Invantive software itself, please follow the instructions on our security page or in the security.txt file. We are grateful for your cooperation in this regard.
Revisions
The following essential changes were made to this text:
Date | Change |
---|---|
20231003 | Add exceptions for countries with far-reaching obligations. |