Brussels Airlines Responsible Disclosure Statement

As an Intigriti researcher, you can earn good money. If you are willing to go public with your responsible hacking activities, you can receive financial rewards. Intigriti pays out rewards for every bug you manage to find and submit as the first researcher. Please be aware, Intigriti does not accept registrations from anonymous researchers. 

If your vulnerability report is valid and you would like to be recognised for your contribution, we will gladly add you to our “Brussels Airlines InfoSec Hall of Fame”, by name or anonymously. Rest assured, we will only add you to our “Hall of Fame” if you explicitly request this. 

If you prefer not to provide your name and contact details, you can report a vulnerability directly to Brussels Airlines. However, you should consider that without this information we will be unable to discuss the next steps with you, or add you to our “Hall of Fame”. 

To report a vulnerability directly to us, please send an e-mail to our security team: 

​InfoSec@brusselsairlines.com

Our specialists will read your report and start working on it right away. 

Please ensure that your e-mail is clear and succinct. In particular, please include the following information: 

• Description of the discovered vulnerability or risk 
• Evidence of the finding (e.g. Proof of Concept, video, screenshot, etc.) 
• The steps you undertook 
• The entire URL 
• Objects possibly involved 

Examples of vulnerabilities could be: 

• Cross-site scripting (XSS) vulnerabilities 
• SQL injection vulnerabilities 
• Remote Code execution 
• Authentication bypass 
• Encryption vulnerabilities 

To ensure that your testing remains lawful, refrain from using invasive or destructive techniques. Always adhere to these rules: 

• Do not disrupt our online services. 
• Do not use techniques that can influence the availability of our online services. 
• Do not make any changes to the system. 
• Do not modify or delete any data in the system. 
• In case your finding requires a copy of the data from the system, do not copy more than your investigation requires. If one record is sufficient, do not copy more. 
• Do not make any customer or business data public. 
• Do not create a backdoor in any system. 
• Do not attempt to penetrate the system more than required. In case you successfully penetrate the system, do not share gained access with others. 
• Do not use any brute force techniques (e.g. repeatedly entering passwords) in order to gain access to the system. 
• Do not use social engineering in order to gain access to our IT systems. 

To ensure the best outcome, please follow these guidelines: 

• Create your report in Dutch, French, or English. Reports in other languages will not be processed. 
• Give us enough details to enable us to reproduce the vulnerability. 
• Allow us a reasonable amount of time to fix the vulnerability before making any information public. 
• Consult with us before making any information public. 
• Do not ask Brussels Airlines to compensate you for your report. 

You can expect the following commitments from us: 

• We will let you know that we received your report. 
• We will give you an estimate of how long the fix will take. 
• We will tell you when we have fixed the vulnerability. 

Your personal information will only be used to approach you regarding your vulnerability report. We will not distribute your personal information to third parties without your permission. Should the law require us to provide your personal information to an authority we will ensure that the applicable authority treats your personal information confidentially. We will remain responsible for your personal information.