Responsible

This external policy is meant for members of the public, security researchers and organisations to facilitate exchange of information about vulnerabilities in HEINEKEN’s digital footprint.

We do realise that, in spite of our best intentions and greatest care, vulnerabilities may exist in our systems. If you do happen to find one of these weaknesses, we would love to hear from you so we can resolve the issue. Before reporting, though, please review this page.

What we expect from you

  • When you are investigating one of our systems, bear in mind the proportionality of the attack. Do not exploit a security issue or potential security issue that you discover.
  • Only use methods that are strictly necessary for finding or pointing out the vulnerabilities. Use the weaknesses you have identified only for your own investigations and never for any other purpose.
  • Ensure that your own systems are kept as well protected as possible.
  • If the issue you consider reporting relates to user accounts, you do not conduct testing outside of your own account, a test account, or another account for which you have the explicit written consent of the account owner to test.
  • You give us reasonable time to investigate and mitigate an issue that you report before publicly disclosing any information about the report or sharing such information with others.
  • A vulnerability should be reported to us as soon as possible by sending an email to responsible.disclosure@heineken.com. Please provide us with enough information so we can reproduce and investigate the issue.
  • Use the public OpenPGP key for disclosure mailbox
  • Do not share your knowledge of the vulnerability with others as long as we have not addressed the issue and we are still in a reasonable timeframe since the issue was reported.
  • As soon as we have solved the vulnerability you must delete all confidential information, including but not limited to any personal information, obtained during your investigation.
  • Do not change or delete any details in the system. Never copy more data than necessary. If a single record is sufficient for your investigations, do not copy any more.
  • Do not penetrate a system more often than necessary and do not share the access you gained with others

What you can expect from us

  • We will respond to your report within seven days. We will include an estimate of the time we will require to address the issue. We will keep you posted on our progress if you want to.
  • We will resolve the vulnerability as soon as possible. Proportionality is important, meaning that the amount of time required to solve a vulnerability depends on several factors, among which the severity and the complexity of the vulnerability.
  • We do not operate or cooperate with a Bug Bounty Programme and do not allow commercial acquisition based on responsible disclosure. As such we will not provide incentives. However, if you wish, we will mention your name in a publication regarding the vulnerability only if you agree to this.
  • If you would choose to provide us your personal details, your personal data will only be used to undertake further action based on the information you provide in your report. Unless necessary to comply with the law, we will not share your personal data with any third parties without your permission.
  • Should you find a vulnerability in third party software that we use, and that vulnerability is covered by a bug bounty program, we will not try to claim this bounty; you should.
  • When you follow the guidelines that are laid out here, we will not take legal action against you regarding your report. We cannot guarantee that you will never be prosecuted if you commit a criminal offence during the course of your investigations, even if we do not report such an offence ourselves. At the end of the day, the public prosecutor always has the final say as to whether or not you will be prosecuted. We have no say in this.
  • Is personal information of our employees, business partners or others involved? We might have to notify these individuals or our supervisory authorities that data breach occurred under data protection laws we are subject to. On average we will need to do this within 72 hours. Unless required, we will not reveal any details that may identify you when we do so.