Skip to content
Plan een demo

Security Policy

Vulnerability Disclosure Policy

Found a security issue in one of our systems? We want to hear from you. This page explains how to report it safely and what you can expect from us.

Version
1.0
Date
March 2026
Owner
CISO, Omniplan B.V.
Contact
security@omniplan.nl

Introduction

Omniplan B.V. develops and maintains financial software solutions for financial advisors and banks. We are committed to the security of our systems, applications, and the data of our clients.

We recognise that external security researchers can make a valuable contribution to strengthening our security posture. This Vulnerability Disclosure Policy (VDP) describes how security researchers, clients, or other third parties can safely report a vulnerability, and how Omniplan handles such reports.

Our commitment
We will take every report seriously, investigate it thoroughly, and keep the reporter informed of progress. Omniplan will not pursue legal action against individuals who act in good faith and comply with the rules set out in this policy.

Scope

This policy applies to all digital systems, applications, and services owned or operated by Omniplan B.V.

System / Service Scope
Omniplan web applications and client portals (omniplan.nl and subdomains) In scope
Personal Finance Platform (production environment) In scope
API endpoints used by clients In scope
Omniplan corporate website (omniplan.nl) In scope
Azure infrastructure and services managed by Omniplan In scope
Microsoft 365 / Entra ID (Omniplan-managed tenant) In scope
Third-party systems (e.g. Microsoft, vendors) not managed by Omniplan Out of scope
Systems belonging to Omniplan's clients Out of scope
Physical security of office premises Out of scope
Social engineering attacks targeting Omniplan employees Out of scope
Denial-of-Service (DoS/DDoS) attacks Out of scope

Ground rules for researchers

To qualify for the protections offered by this policy, a researcher must comply with the following conditions.

What we expect

  • Report the vulnerability as soon as possible via security@omniplan.nl, in English or Dutch only.
  • Provide sufficient information to reproduce the vulnerability: affected system, reproduction steps, screenshots and/or proof-of-concept material.
  • Give Omniplan reasonable time to remediate before publishing or sharing information with third parties (see section 5).
  • Act in good faith — the objective is to improve security, not to gain unauthorised access to data.
  • Maintain confidentiality about the vulnerability until it has been resolved.

What is not permitted

  • Installing backdoors, malware, or any other malicious software.
  • Copying, modifying, or deleting client or Omniplan data.
  • Performing Denial-of-Service (DoS) attacks.
  • Using automated scanning tools that may damage production environments.
  • Sharing the vulnerability with third parties without prior written consent from Omniplan.
  • Submitting reports without actual investigation (bulk or automated submissions).
  • Accessing systems beyond what is strictly necessary to demonstrate the vulnerability.
  • Social engineering, phishing, or other non-technical attack methods.
Note: Safe Harbor
Omniplan does not extend protections to researchers who violate the rules above, regardless of intent. In the event of a violation, Omniplan reserves the right to file a complaint or take further legal action.

Submitting a report

How to report
Please submit your report exclusively to security@omniplan.nl. Use the subject line [VDP] Brief description of the vulnerability. Reports in English or Dutch are accepted. A PGP key is available upon request via the same address.

What to include

  1. Type of vulnerability (e.g. XSS, SQL injection, IDOR, misconfiguration)
  2. Affected system or URL
  3. Step-by-step reproduction instructions
  4. Screenshots, logs, or Proof-of-Concept (PoC) code
  5. Potential impact and severity score (if known, e.g. CVSS)
  6. Your contact details (optional, but required for updates and acknowledgement)

Our response procedure

Omniplan commits to the following timelines upon receipt of a report.

Step Timeline Action by Omniplan
Acknowledgement of receipt Within 5 business days Confirmation of receipt and case opening
Initial assessment Within 15 business days Severity assessment, validation, and prioritisation
Progress updates Every 30 days Status update for as long as the case remains open
Remediation — critical/high Target: 30 days Fix or mitigating control implemented
Remediation — medium/low Target: 90 days Fix or documented risk acceptance
Case closure After remediation Reporter informed of closure + acknowledgement issued

If a vulnerability cannot be remediated within the target timeline, Omniplan will inform the reporter of the reason and provide a revised expected date.

Assessment & prioritisation

Omniplan assesses vulnerabilities using CVSS v3.1, supplemented by business impact on our clients and the financial sector.

Severity CVSS Score Examples Remediation target
Critical 9.0 – 10.0 RCE, auth bypass, mass data exposure 30 days · Immediate escalation to CISO + Board
High 7.0 – 8.9 Privilege escalation, SQLi, SSRF 30 days · Escalation to CISO
Medium 4.0 – 6.9 Stored XSS, CSRF, info disclosure 90 days
Low 0.1 – 3.9 Best-practice deviations, low impact Next release window

Safe Harbor – Legal protections

Omniplan considers research that complies with the conditions of this policy to be authorised activity. We will not pursue legal action against individuals who:

  • Strictly adhere to the ground rules in section 3;
  • Have not copied, modified, or deleted client or Omniplan data;
  • Reported the vulnerability directly to Omniplan and have not disclosed it publicly;
  • Acted solely with the intention of improving security.

If you are uncertain whether a specific activity falls within scope, we recommend contacting us at security@omniplan.nl before proceeding with the research.

Legal basis
This policy is aligned with the NCSC Coordinated Vulnerability Disclosure (CVD) guidelines and the Dutch Public Prosecution Service guidelines on responsible disclosure.

Reward policy

Omniplan does not currently operate a formal bug bounty programme with financial rewards. We do offer the following recognition to researchers who report a valid vulnerability:

  • A personal thank-you from the CISO;
  • Acknowledgement on our Hall of Fame (upon request and with the reporter's consent);
  • Optional credit in the CVE process where applicable.

Omniplan reserves the right to revise this reward policy in the future. Any changes will be published on this page.

Coordinated disclosure

In some cases, a vulnerability may also affect software or services provided by third parties. In such situations:

  • Omniplan will coordinate disclosure with the affected third party before remediating.
  • Omniplan will inform the reporter of this coordination and the expected impact on the timeline.
  • Omniplan will adjust the standard remediation timeline if the third party requires additional time.
  • Where applicable, relevant vulnerabilities will be reported to the NCSC or CERT-NL.

For vulnerabilities with a CVSS score ≥ 7.0 in systems that process client data, Omniplan will additionally assess whether notification to the Dutch Data Protection Authority (AP) under GDPR or to DNB under DORA is required

Version history

Version Date Change Author
1.0 March 2026 Initial publication. Aligned with DORA Art. 10 and SOC2. Cloud Security Engineer
Found a vulnerability?
Send your report to our security team. We respond within 5 business days.
Report a vulnerability