Responsible Disclosure Guideline

Pass a vulnerability on to us

Safety of our customer data is very important to us. That is why we constantly work to keep our internet services secure. Sometimes this is not enough and something goes wrong. We would highly appreciate it if you inform us of any vulnerabilities of this website so that we can take appropriate security measures. This way we can work together to improve the security of our data and systems.

Please let us know if you discover a vulnerability

You can report vulnerabilities such as:

  • Cross-Site Scripting (XSS) vulnerabilities
  • SQL injection vulnerabilities
  • Weaknesses in the secure connection


You can report a vulnerability online to us

Achmea Bank is part of Achmea. Achmea developed an online form with which you can pass on a vulnerability. Could you explain the vulnerability as clearly and completely as possible? You can also do this anonymous.

We ask you to share the problem only with us

Do not disclose the problem. This way we keep the data of our customers safe. We would highly appreciate it if you give us the time to solve the problem. You should not damage the software during your examination of the vulnerability found. You are not allowed not share data with anyone other than Achmea. Your research must never interrupt our services. During your investigation you might do something that is not permitted by law. We do not file a report if you act in good faith, with care and according to the rules below.

Keep in mind the guidelines

This responsible disclosure guideline is based on the Responsible Disclosure Guideline of the National Cyber Security Center (NCSC). The following rules apply:

  • Do not use social engineering to gain access to our systems
  • Do not put a backdoor in an information system to show the weak spot.
  • Only do what is strictly necessary to demonstrate the vulnerability.
  • Do not copy, modify or delete data. Send us only the (minimal) data that is needed  to demonstrate the problem. For example, create a directory listing or a screenshot.
  • Limit the attempts to gain access to the system. And do not share data about the access obtained with others
  • Do not use so-called 'brute force attacks' to get into our systems.


You will receive an appropriate compensation

Only if it is a serious security problem and if you took into account the guideline you will receive a compensation. We will inform you within 2 days of your report if you receive a compensation.

We only use your contact information to communicate with you about the report

We do not share your contact information with others unless we have to do so legally. For example if the justice department asks us this. Or if we see your action as a criminal offense and you do not act in good faith. In that case we will file a report with the police. If you reported anonymously, we cannot keep you informed and we cannot give you a reward.

You cannot file complaints through the responsible disclosure procedure

The responsible disclosure procedure is not intended for:

  • Reporting that the website is not available
  • Reporting fraud
  • Report phishing e-mails
  • Reporting viruses

You can contact us if you want to report one of these matters.