Responsible Disclosure Policy

At Mollie, we believe that the security of our systems, our network and our products is very important. We pay a lot of attention to this during development and maintenance. However, sometimes vulnerabilities escape detection. We appreciate you notifying us if you find one. We would prefer to hear about it as soon as possible so that we can take measures to protect our customers.

This document describes the procedure we have prepared for this.

Reporting

If you believe you’ve found a security issue in our product or service, please notify us as soon as possible by emailing us at security@mollie.com. If possible use our PGP key ID=8B6E11C9 (fingerprint=0437 4B9A D845 56E3 D1C9 D62D C8A6 04B3 8B6E 11C9).

Rules

  • Do not share information about the security problem with others until the problem is resolved.
  • Provide information about how and when the vulnerability or malfunction occurs. Clearly describe how this problem can be reproduced and provide information about the method used and the time of investigation.
  • Be responsible with the knowledge about the security problem. Do not perform any actions beyond those necessary to demonstrate the security problem. Do not abuse the vulnerability and do not keep confidential data obtained through the vulnerability in the system.
  • Leave your contact details (e-mail address or telephone number) if you want, so that Mollie can contact you about the assessment and progress of the vulnerability solution. We also take anonymous reports seriously.
  • Do not use physical attacks, DDOS attacks or social engineering.

Our responsible disclosure policy is not an invitation to actively scan our company network for vulnerabilities. Our systems are being monitored continuously. As a result, there is a good chance that a scan will be detected and our Security Operation Center (SOC) will investigate it.

How does Mollie handle Responsible Disclosure?

When you report a suspected vulnerability in an IT system, we will deal with this in the following way:

  • You will receive confirmation of receipt from Mollie within three business days after the report.
  • You will receive a response within three business days after the confirmation of receipt containing an assessment of the report and the expected date of resolution. We strive to keep you informed on progress of resolution.
  • Mollie will treat your report confidentially and will not share your information with third parties without your permission, unless this is required by law or by a court order.
  • Mollie will determine together with you whether and how the problem is reported on. The problem will only be reported on after it has been resolved. If you wish, Mollie will mention your name as the discoverer in the reporting on the problem.

Exclusions

This Responsible Disclosure scheme is not intended for reporting complaints. The scheme is also not intended for:

  • Reporting that the website is not available.
  • Reporting fake e-mails (phishing e-mails).
  • Reporting fraud.

For issues pertaining to the above and any other inquiries please get in touch with our support team.

Rewards / bug bounty

Mollie has a bug bounty scheme to encourage the reporting of problems concerning security of our systems. We make an appropriate monetary reward available for reports that actually lead to remedying a vulnerability or a change in our services. We decide whether the report is eligible, and the nature and amount of the remuneration.

Which systems/problems are excluded from bug bounty rewards?

Not all systems that are accessible under our logos fall under Mollie’s direct control. Although we also take reports regarding these systems very seriously, we cannot allow them to fall under a bug bounty scheme.

We also exclude specific problems that in our opinion do not constitute a threat outside of a laboratory set-up.

EXCLUDED SYSTEMS

  • help.mollie.com
  • info.mollie.com
  • blog.mollie.com
  • status.mollie.com
  • jobs.mollie.com

EXCLUDED TYPES OF SECURITY PROBLEMS

  • (D)DOS attacks
  • Problems that amount to self-XSS
  • Error messages without sensitive data
  • Reports from which software we use can be deduced
  • Problems that require the use of heavily outdated operating systems, browsers or - obsolete plug ins
  • Problems that are already known to us

This policy has been drawn up based on the NCSC’s Responsible Disclosure Guideline.