U gebruikt een verouderde browser. Voor een optimale ervaring update je browser of gebruik een moderne browser.
sluitIn order to improve the performance and security of C&W Logistics’ networks and information systems, C&W Logistics has adopted a coordinated vulnerability disclosure policy. This policy gives participants the opportunity to search for potential vulnerabilities in C&W Logistics’ systems, equipment and products with good intentions or to pass on any information they discover about a vulnerability.
However, access to C&W Logistics’ IT systems and equipment is only permitted with the intention of improving security, informing C&W Logistics of existing vulnerabilities and in strict compliance with the other conditions set out in this document.
C&W Logistics’ policy concerns security vulnerabilities that could be exploited by third parties or disrupt the proper functioning of C&W Logistics’ products, services, networks or information systems.
The participant is also permitted to introduce or attempt to introduce computer data into C&W Logistics’ computer system, subject to the purposes and conditions of this policy.
All vulnerabilities in products, services, networks or information systems owned, operated, hosted or managed by C&W Logistics are within scope where they may impact the confidentiality, integrity or availability of C&W Logistics’ systems or data.
However, deployments, installations or environments owned, operated or managed by customers, partners or other third parties are explicitly out of scope, even where such environments contain or use C&W Logistics’ products and services.
Vulnerabilities inherent to third-party products, services, networks or information systems are out of scope.
However, vulnerabilities resulting from C&W Logistics’ configuration, implementation, integration or use of such systems within C&W Logistics’ environment are in scope where they may impact the confidentiality, integrity or availability of C&W Logistics’ systems or data.
The participant's research on systems not explicitly included in the framework of this policy could lead to legal proceedings against him/her.
2. mutual obligations of the parties
a. proportionality
The participant undertakes to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to make use of the vulnerability beyond what is strictly necessary to demonstrate the security flaw. Their approach must remain proportionate: if the safety problem has been demonstrated on a small scale, no further action should be taken.
The objective of C&W Logistics’ policy is not to allow intentional knowledge of the content of computer data, communication data or personal data, and such knowledge could only occur incidentally in the context of the search for vulnerabilities.
b. Actions that are not allowed
Participants are not permitted to take the following actions:
c. Confidentiality
The participant must strictly refrain from sharing or disclosing any information collected under C&W Logistics’ policy with third parties without C&W Logistics’ prior and explicit consent.
Similarly, it is not permitted to reveal or disclose computer data, communication data or personal data to third parties.
C&W Logistics’ policy is not intended to enable the intentional access to the content of computer data, communication data, or personal data, and such access may only occur incidentally in the context of vulnerability detection.
The participant retains the right to notify the Centre for Cybersecurity Belgium (CCB) of the vulnerability in parallel with the notification to C&W Logistics, in order to benefit from the legal protection regime set out in articles 22 and 23 of the Belgian NIS2 Act of 26 April 2024. Such parallel notification, sent to vulnerabilityreport@ccb.belgium.be in accordance with the simplified notification deadline of 24 hours and the complete notification deadline of 72 hours under article 23, § 1 of that Act, does not constitute a breach of this policy. Where the vulnerability may affect other organisations in Belgium, notification to the CCB is also recommended.
d. Bonafide execution
C&W Logistics undertakes to implement this policy in good faith and to refrain, in respect of a participant who complies with its conditions, from (i) instituting civil proceedings against the participant, (ii) filing a criminal complaint against the participant with the police or the judicial authorities, and (iii) bringing a civil-party claim against the participant before an investigating magistrate. This commitment is given by C&W Logistics in its own name only and does not bind third parties (including customers, partners or end users), nor does it affect the prosecutorial discretion of the Belgian Public Prosecutor’s Office to initiate or continue criminal proceedings ex officio under the principle of opportunity. Where the participant complies with the conditions set out in articles 22 and 23 of the Belgian NIS2 Act of 26 April 2024, the legal protection regime under that Act applies in any event.
The participant must be free of fraudulent intent, intent to harm, intent to use or intent to cause damage to the visited system or its data.
If there is any doubt about any of the conditions of C&W Logistics’ policy, the participant must first ask C&W Logistics’ contact point and obtain its written consent before acting.
e. Processing of personal data
The purpose of a CVDP is not to intentionally process personal data, but it is possible that the participant may have to process personal data, even incidentally, in the course of his or her vulnerability research.
The processing of personal data is broad in scope and includes the storage, alteration, retrieval, consultation, use or disclosure of any information that could relate to an identified or identifiable natural person. The "identifiable" character of the person does not depend on the mere will of the data processor to identify the person, but on the possibility of identifying, directly or indirectly, the person by means of these data (for example: an e-mail address, identification number, online identifier, IP address or location data).
Where the participant processes personal data in the course of vulnerability research, the participant acts as an independent data controller within the meaning of Article 4(7) GDPR, and must comply with all obligations applicable to data controllers under the GDPR. In particular:
- The participant undertakes to limit the processing of personal data to what is necessary for the purpose of vulnerability scanning.
- The participant shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (e.g. encryption). The participant declares that he/she understands the risks associated with the implementation of this policy and that he/she has the necessary expertise and experience to test C&W Logistics’ systems, equipment and products safely and in compliance with applicable laws and regulations.
- In the event of a personal data breach that may pose a risk to the rights and freedoms of the natural persons concerned, the participant undertakes to notify both C&W Logistics (at gdpr@cwlogistics.be) and the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) as soon as possible and, in any event, no later than 72 hours after becoming aware of the breach, in accordance with article 33 GDPR.
- The participant may not keep any personal data processed for longer than necessary. During this period, the participant must ensure that this data is stored with a level of security appropriate to the risks involved (preferably encrypted). At the end of his/her participation in the policy, this data must be deleted immediately.
The participant’s status as independent data controller applies to all processing of personal data carried out by him/her in the course of vulnerability research, whether in accordance with this policy or not. The participant assumes full responsibility for such processing under the GDPR.
3. How to report a vulnerability ?
As soon as possible after the discovery, the participant should notify C&W Logistics via security@cwlogistics.be. Whenever possible the participant should use secure means of communication to share the details of the vulnerability.
4. Procedure
a. Discovery
Where a participant becomes aware of information relating to a potential vulnerability, the participant should, where possible, carry out prior checks to confirm the existence of the vulnerability and identify any risks involved.
b. Notification
The participant undertakes to notify, as soon as possible, technical information on possible vulnerabilities to the contact point listed in point 3 of this policy.
Upon receipt of a notification, C&W Logistics undertakes to send to the participant, as soon as possible, an acknowledgement of receipt, and the next steps of the procedure.
c. Communication
The parties undertake to make every effort to ensure continuous and effective communication. The information provided by the participant can be very useful in identifying and addressing the vulnerability.
d. Investigation
The investigation phase will allow C&W Logistics to replicate the environment and behaviour reported in order to verify the information reported.
C&W Logistics undertakes to keep the participant informed on a regular basis of the results of the investigations and the follow-up to the notification.
During this process, the parties will ensure that they make the link with similar or related reports, assess the risk and severity of the vulnerability, and identify any other affected products or systems.
e. Development of a solution
The objective of the disclosure policy is to enable the development of a solution to remove the vulnerability from the computer system before any damage is done.
Taking into account the state of knowledge, the costs of implementation, the seriousness of the risks to users and the technical constraints, C&W Logistics will try to develop a solution as soon as possible.
In this phase, C&W Logistics and its partners commit to carrying out positive tests to verify that the solution works properly and negative tests to ensure that the solution does not disrupt the proper functioning of other existing functionalities.
f. Possible disclosure
C&W Logistics will decide, in coordination with the participant, on the modalities to eventually disclose the existence of the vulnerability. This disclosure should take place at the earliest possible time, together with the deployment of a solution and the distribution of a security notice to users.
C&W Logistics is also committed to collecting feedback from users on the deployment of the solution and to taking the necessary corrective measures to address any issues with the solution, including compatibility with other products or services.
5. Law applicable
Belgian law is applicable to any disputes arising from the application of this policy.
6. Duration
The rules of the policy are applicable from 01/07/2026 until they are modified or deleted by C&W Logistics. Such changes or deletions will be published on C&W Logistics’ website and will apply automatically after a period of 30 days following their publication.