Skip to main content
HEMA Information Security HEMA Information Security

Responsible disclosure

Table of Contents

Did you find a potential vulnerability in a HEMA website or system? Read here how to report this through our responsible disclosure process.

Please note:
Due to a high number of submissions, our response time may be longer than usual.
Thank you for your patience.

responsible disclosure process #

Although we put tremendous efforts in keeping our systems secure at HEMA, there can always be vulnerabilities that remained unnoticed to us. Whenever you find a (potential) vulnerability that may cause an issue to our systems or leads to disclosure of our (customer) data, we kindly ask you to report this to us so that we can remediate it and better protect our customers and systems.

submission & communication guidelines #

To ensure smooth handling of your report, please follow these guidelines:

  • Submit your report only via the official form (see button below). Submissions sent by email will not be acknowledged or accepted.
  • Report only one vulnerability per submission. If you discover multiple issues, please submit each one separately.
  • Use a clear and structured title. Format: [System name] – [Short summary], e.g. Hema – Sensitive Information Disclosure, for a finding on hema.nl. Incorrect titles may delay processing.
  • Include clear and reproducible steps. We must be able to verify your report, so explain how the vulnerability was found.
  • Include supporting evidence such as screenshot, videos, request/response samples, or a proof-of-concept file. You can upload these as attachments
  • By submitting, you agree to accept HEMA’s assessment and the corresponding reward amount. All decision and rewards are non-negotiable.
  • Please always reply directly to the email thread you receive from us, don’t start a new email. This ensures your communication is tracked with the report.

In addition, we ask that you:

  • Do not take advantage of the vulnerability or problem you have discovered. For example, do not download more data than necessary to demonstrate the issue, and do not delete or modify other people’s data.
  • Do not disclose the issue to others until it has been resolved. Please refrain from publishing any information until we have reviewed your content and confirmed it contains no sensitive details.
  • Do not send unnecessary messages or address groups of people to ask for updates or rewards.
  • After your report has been processed, delete any confidential information obtained during your investigation.

important notice

  • Failure to follow these guidelines may result in the rejection of your submission.
  • Engaging in arguments or disregarding our decisions will lead to permanent removal from our program.
  • By submitting, you implicitly agree to these terms. We assume all researchers have read and understood the guidelines before submitting.

what you can expect from us #

When your submission follows the responsible disclosure guidelines, HEMA will:

  • Acknowledge your report within a minimum of 14 working days.
  • Assess and triage your submission fairly and professionally.
  • Not pursue legal action if you follow the rules outlined here.
  • Handle your report with strict confidentiality and will never pass on your personal details to third parties without your permission.
  • Keep you informed of the report status and progress.
  • Offer a monetary reward starting from €50, paid via PayPal, for valid and previously unknown vulnerabilities
  • (Optional) Credit your name or handle on our acknowledgements page, only with your explicit consent

Please note: remediation timelines may vary depending on internal priorities and complexity. We may not be able to provide a remediation timeline or confirmation of fix.

If you wish to publicly disclose your findings (e.g., in a blog post), we’re happy to review your content after the issue is closed. We ask that you wait for our approval before publishing, to ensure no sensitive or unresolved information is disclosed.

rewards #

As a thank-you for helping us secure our systems, we offer monetary rewards for valid and previously unknown vulnerabilities.

  • Rewards start at €50
  • Payment is made via PayPal
  • Final reward amount depends on:
    • Impact and severity of the vulnerability
    • Clarity and quality of the report

All reward decisions are made by HEMA and are non-negotiable.

definition of a vulnerability #

HEMA considers a security vulnerability a weakness in our websites or infrastructure that could impact confidentiality, integrity and/or availability of these systems. Because this is a broad definition, we understand you might raise concerns that are already known or not considered a security issue by HEMA.

not considered valid vulnerabilities: #

  • Auto-completion enabled or disabled on forms.
  • Missing cookie attributes on non-sensitive cookies, e.g. missing HTTP-only flags on analytics cookies.
  • Presence or absence of HTTP headers, such as: X-Frame-Options, CSP, no-sniff, etc. Unless part of a solution for another related vulnerability.
  • DNS dangling and subdomain take-over,
  • Email security measures such as DKIM, DMARC and SPF.
  • SSL/TLS findings that pertain to outdated or invalid certificates.
  • Certain low-risk vulnerabilities or risks that are already known. These may still be security vulnerabilities, but either already in remediation or accepted.
  • Vulnerabilities of the same type, reported separately, for example XSS in multiple parameters or unvalidated redirects in different locations. These are considered one vulnerability.

considered valid vulnerabilities: #

  • Unauthorized access to customer data, including but not limited to names, order information and further personal details.
  • Remote Code Execution (RCE).
  • Server-Side Request Forgery (SSRF).
  • Cross-site Scripting (XSS).
  • Cross-site Request Forgery (CSRF).
  • Injection attacks, such as SQL Injection (SQLi).
  • XML External Entity Attacks (XXE).
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc.).
  • Path/Directory traversal Issues.

When in doubt, we encourage you to report your findings for review.

report a vulnerability #

If you believe you have found a security issue that we would consider a security vulnerability or have something else you would like to bring to our attention, use the form below this page ‘Report vulnerability’ (requires JavaScript).