Responsible Disclosure Program

At Marktplaats we take user safety seriously and strive to ensure a safe experience for you when you use our websites. When properly reported, we will quickly investigate all legitimate reports of security vulnerabilities and try to fix potential problems. We have adopted a responsible disclosure policy to encourage reports.

We recognize the important role that security researchers and our community play in keeping Marktplaats and our customers secure. If you believe you've found a vulnerability, we would like to work with you to investigate it as quickly as possible. Please send us as much information as possible to help us better understand the nature and scope of the possible issue.

Responsible disclosure policy

In the event you discover a site or product vulnerability, please notify us using the guidelines below. In order to enable us to review your notification and respond to your report, we will require some time to review. Therefore, we kindly request you to give us reasonable time to revert before you make any information public regarding the vulnerability and make a good faith effort to avoid destruction of data and interruption or degradation of our service during your research. In the event we believe you are not acting in good faith, we reserve all rights to bring a lawsuit against you or ask law enforcement to investigate you.

Guidelines for responsible disclosure

  • Share the site or product vulnerability with us without making it public.
  • Report in a manner that safeguards the confidentiality of the report only via this email address: responsibledisclosure+marktplaats@adevinta.com
  • Allow us a reasonable amount of time (depending on the type of vulnerability or issue you report) to respond to the issue before disclosing it to others.
  • Provide full details of the site or product vulnerability, including Proof-of-Concept URL, the details of the system where the tests were conducted and detailed reproduction steps.


Once you have provided us with the information as described above, we will investigate the reported matter. As soon as we have an understanding/assessment of the vulnerability, we will determine what type of vulnerability it is.
In case any vulnerability would constitute or lead to a personal data breach, as defined by applicable law, we will notify such personal data breach in accordance with the requirements under applicable law.
Do not engage in security research that involves:

  • Potential or actual damage to users, systems, data or applications.
  • Exploit a vulnerability further than necessary to establish its existence.
  • Viewing other users’ data
  • the corruption of data
  • Conducting any activities that may disrupt our services.
  • The use of port scans on our network blocks or executing DDoS attacks.
  • Violating privacy policies, destroying data, interrupt or otherwise degrading Marktplaats.nl systems or the systems of our affiliates during your research.


Reporting a security vulnerability
If you believe you have discovered a site or product vulnerability in a Marktplaats hosted website, please send a report with a thorough explanation of the vulnerability via this email address: responsibledisclosure+marktplaats@adevinta.com

If you are attempting to report spam or abuse, please send an email to:
Spam - spam@marktplaats.nl
Abuse - abuse@marktplaats.nl
For other notifications or questions please use our Chat

Security vulnerability bounty

To show our appreciation for our security researchers and community, we offer a monetary bounty for reporting certain qualifying security vulnerabilities to us. Here's how it works:

Eligibility

To qualify for a bounty, you must:

  • Adhere to our responsible disclosure policy as outlined above;
  • Give us a reasonable amount of time (depending on the type of vulnerability or issue you report) to respond to your report before making any information public and make a good faith effort to avoid destruction of data and interruption or degradation of our service during your research;
  • Be the first person to report the vulnerability responsibly and fully (including steps to reproduce);
  • Report a vulnerability that could compromise the integrity of Marktplaats data.
  • Act in good faith.

Our security team will assess each vulnerability to determine if it qualifies.

Rewards

Certain site and product vulnerabilities that are being reported may lead to monetary rewards at’ Marktplaats sole discretion.

We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

We will not negotiate the payout amount in response to duress or threats (e.g. withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Exclusions

The following security vulnerabilities are NOT eligible for a bounty (and we do not recommend testing for these):

  • Denial of Service Vulnerabilities
  • Spam, Phishing or Social Engineering techniques
  • Brute force password cracking
  • Use of outdated software / library versions
  • "Advisory" or "Informational" reports that do not include any Marktplaats specific testing or context

What can you expect from us?

  • You can expect us to respond to your message within 5 business days.
  • We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. You may report under a pseudonym or anonymously.
  • We will keep you informed of the progress while resolving the issue.
  • In the public information concerning the reported problem, we will give your name as the discoverer of the problem (unless you desire otherwise).
  • We will handle your report with strict confidentiality and not pass on your personal details to third parties without permission.
  • We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

If users/individuals do not adhere to the above mentioned policies, we reserve the right to take appropriate (legal) measures and/or get law enforcement involved.
These Marktplaats Security Vulnerability Policies are governed by Dutch law.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Omhoog