Skip to main content
Security

Vulnerability Disclosure Policy

Roadsoft B.V.
Laatst bijgewerkt: april 2026

Introduction

Roadsoft takes the security of its products and services seriously. We welcome responsible disclosure of any vulnerabilities that may be found in our systems. This policy describes how to report vulnerabilities and what you can expect from us.

Scope

This policy applies to:

  • Roadsoft web application (app.rs-roadsoft.nl)
  • Roadsoft APIs
  • Roadsoft mobile applications
  • Any other digital product or service operated by Roadsoft B.V.

How to Report

Send your findings to security@rs-roadsoft.com and include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any supporting material (screenshots, proof-of-concept code, logs)
  • Your contact information for follow-up

You may encrypt your report using our PGP key (available upon request).

Our Commitment

  • We will acknowledge your report within 2 business days
  • We will provide an initial assessment within 5 business days
  • We will keep you informed of our progress
  • We will resolve critical vulnerabilities within 30 days
  • We will not take legal action against researchers who follow this policy
  • We will credit you (if desired) when the vulnerability is resolved

Rules of Engagement

We ask that you:

  • Do not access, modify, or delete data belonging to other users
  • Do not disrupt or degrade our services (no DoS/DDoS)
  • Do not share vulnerability details publicly until we have resolved the issue
  • Do not use automated scanning tools at scale without prior coordination
  • Act in good faith and make a reasonable effort to avoid privacy violations

Out of Scope

  • Social engineering attacks (phishing, vishing)
  • Physical security issues
  • Vulnerabilities in third-party services or applications not operated by Roadsoft
  • Reports generated solely by automated tools without verified impact

Recognition

We value the security research community. Researchers who responsibly disclose valid vulnerabilities will be acknowledged on our security page (with consent). At this time, we do not offer a monetary bug bounty program.

Legal Safe Harbor

Roadsoft will not pursue legal action against individuals who discover and report vulnerabilities in accordance with this policy. This safe harbor applies to activities conducted under this policy and does not extend to violations of other applicable laws.

Contact

Email: security@rs-roadsoft.com  Web: https://www.rs-roadsoft.nl/security

Relevant Regulation

This policy is maintained in compliance with the EU Cyber Resilience Act (Regulation 2024/2847) and aligns with the Dutch Coordinated Vulnerability Disclosure (CVD) guidelines as recommended by the NCSC.