{"id":10718,"date":"2026-04-09T14:26:26","date_gmt":"2026-04-09T14:26:26","guid":{"rendered":"https:\/\/picnic.app\/nl\/?page_id=10718"},"modified":"2026-04-09T14:26:27","modified_gmt":"2026-04-09T14:26:27","slug":"responsible-disclosure","status":"publish","type":"page","link":"https:\/\/picnic.app\/nl\/responsible-disclosure\/","title":{"rendered":"Responsible disclosure"},"content":{"rendered":"<div class=\"custom-file-display\"><style>\n    .responsible-disclosure {\n        margin-left: auto;\n        margin-right: auto;\n        max-width: 1440px;\n        padding: 5rem 6.25rem 4rem;\n        font-family: Arial, sans-serif;\n    }\n\n    .responsible-disclosure h1 {\n        color: #333;\n        margin-bottom: 1rem;\n    }\n\n    .responsible-disclosure h2 {\n        color: #333;\n        margin-top: 2.5rem;\n        margin-bottom: 1rem;\n    }\n\n    .responsible-disclosure h3 {\n        color: #333;\n        margin-top: 2rem;\n        margin-bottom: 0.75rem;\n    }\n\n    .responsible-disclosure p {\n        color: #555;\n        line-height: 1.7;\n        margin-bottom: 1rem;\n    }\n\n    .responsible-disclosure ul {\n        color: #555;\n        line-height: 1.7;\n        padding-left: 1.5rem;\n        margin-bottom: 1rem;\n    }\n\n    .responsible-disclosure ul li {\n        margin-bottom: 0.5rem;\n    }\n\n    .responsible-disclosure .divider {\n        border: none;\n        border-top: 1px solid #e0e0e0;\n        margin: 2.5rem 0;\n    }\n\n    .responsible-disclosure .section-block {\n        background-color: #fff;\n        border-radius: 8px;\n        padding: 2rem 2.5rem;\n        margin-bottom: 1.5rem;\n        box-shadow: 0 0 6px rgba(0, 0, 0, 0.06);\n    }\n\n    .responsible-disclosure .contact-highlight {\n        font-weight: 700;\n        color: #333;\n    }\n\n    .responsible-disclosure a {\n        color: #0077cc;\n        text-decoration: none;\n    }\n\n    .responsible-disclosure a:hover {\n        text-decoration: underline;\n    }\n\n    @media (max-width: 768px) {\n        .responsible-disclosure {\n            padding: 3rem 1.5rem 2.5rem;\n        }\n\n        .responsible-disclosure .section-block {\n            padding: 1.5rem;\n        }\n    }\n\n    @media (max-width: 480px) {\n        .responsible-disclosure {\n            padding: 2rem 1rem 2rem;\n        }\n\n        .responsible-disclosure .section-block {\n            padding: 1.25rem 1rem;\n        }\n    }\n<\/style>\n\n<div class=\"responsible-disclosure\">\n    <h1>Responsible Disclosure<\/h1>\n    <p>Spotted something off? Let us know. Security is core to how we operate at Picnic Technologies \u2014 and the security research community plays a key role in helping us maintain it.<\/p>\n    <p>This page explains how to share your findings with us responsibly, and what you can expect from us in return.<\/p>\n\n    <hr class=\"divider\">\n\n    <div class=\"section-block\">\n        <h2>Have you found a security vulnerability?<\/h2>\n        <p>We take every report seriously. If you&#8217;ve discovered a potential security issue in one of Picnic&#8217;s systems or applications, please share it with us using the guideline below.<\/p>\n        <p>We will investigate your report, keep you informed of our progress, and recognise your contribution.<\/p>\n    <\/div>\n\n    <hr class=\"divider\">\n\n    <div class=\"section-block\">\n        <h2>Guidelines<\/h2>\n\n        <h3>What we ask you to do<\/h3>\n        <ul>\n            <li>Test only on systems you own or have explicit permission to access<\/li>\n            <li>Report your finding privately and promptly \u2014 do not share it with others before we have resolved it<\/li>\n            <li>Provide clear, reproducible steps so our team can understand and validate the finding<\/li>\n            <li>Give us reasonable time to investigate and remediate before any public disclosure<\/li>\n        <\/ul>\n\n        <h3>What you must never do<\/h3>\n        <ul>\n            <li>Install malware, backdoors, or any malicious software on any system<\/li>\n            <li>Launch denial-of-service (DoS\/DDoS) attacks<\/li>\n            <li>Use social engineering, phishing, or physical access techniques<\/li>\n            <li>Access, download, or modify data belonging to other users<\/li>\n            <li>Use brute force or aggressive automated scanning tools<\/li>\n            <li>Share or retain sensitive data beyond what is strictly needed to demonstrate the vulnerability<\/li>\n            <li>Publicly disclose the finding before it has been resolved<\/li>\n        <\/ul>\n    <\/div>\n\n    <hr class=\"divider\">\n\n    <div class=\"section-block\">\n        <h2>Out of Scope<\/h2>\n        <ul>\n            <li>Self-XSS \u2014 requires the victim to execute the payload in their own browser<\/li>\n            <li>Missing security headers (CSP, X-Frame-Options, HSTS, etc.) without a working exploit demonstrating real impact<\/li>\n            <li>Automated scanner output submitted without manual validation or demonstrated impact<\/li>\n            <li>Theoretical vulnerabilities with no working proof-of-concept<\/li>\n        <\/ul>\n    <\/div>\n\n    <hr class=\"divider\">\n\n    <div class=\"section-block\">\n        <h2>How to report<\/h2>\n        <p>Send your report to <span class=\"contact-highlight\">security@picnic.nl<\/span><\/p>\n        <p>Please include:<\/p>\n        <ul>\n            <li>A clear description of the vulnerability<\/li>\n            <li>The system or URL affected<\/li>\n            <li>Steps to reproduce the issue<\/li>\n            <li>Any supporting evidence (screenshots, logs, proof-of-concept)<\/li>\n        <\/ul>\n        <p>We will acknowledge your report and keep you informed as we investigate.<\/p>\n    <\/div>\n\n    <hr class=\"divider\">\n\n    <div class=\"section-block\">\n        <h2>Acknowledgement<\/h2>\n        <p>We publicly recognise researchers who help keep Picnic secure.<\/p>\n        <p>Researchers who responsibly disclose valid vulnerabilities will be added to our <a href=\"\/responsible-disclosure\/hall-of-fame\">Security Hall of Fame<\/a>. Eligibility is assessed internally based on the validity and impact of the reported finding.<\/p>\n    <\/div>\n<\/div>\n<\/div>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":948,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-10718","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.8 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Responsible disclosure - Picnic NL<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/picnic.app\/nl\/responsible-disclosure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Responsible disclosure - Picnic NL\" \/>\n<meta property=\"og:url\" content=\"https:\/\/picnic.app\/nl\/responsible-disclosure\/\" \/>\n<meta property=\"og:site_name\" content=\"Picnic NL\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/picnicNL\/\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-09T14:26:27+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@picnic\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/picnic.app\/nl\/responsible-disclosure\/\",\"url\":\"https:\/\/picnic.app\/nl\/responsible-disclosure\/\",\"name\":\"Responsible disclosure - Picnic NL\",\"isPartOf\":{\"@id\":\"https:\/\/picnic.app\/nl\/#website\"},\"datePublished\":\"2026-04-09T14:26:26+00:00\",\"dateModified\":\"2026-04-09T14:26:27+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/picnic.app\/nl\/responsible-disclosure\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/picnic.app\/nl\/#website\",\"url\":\"https:\/\/picnic.app\/nl\/\",\"name\":\"Picnic\",\"description\":\"De online supermarkt!\",\"publisher\":{\"@id\":\"https:\/\/picnic.app\/nl\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/picnic.app\/nl\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/picnic.app\/nl\/#organization\",\"name\":\"Picnic NL\",\"url\":\"https:\/\/picnic.app\/nl\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/picnic.app\/nl\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/d2jxuf8ovdiw8x.cloudfront.net\/uploads\/sites\/18\/2020\/11\/logo.png\",\"contentUrl\":\"https:\/\/d2jxuf8ovdiw8x.cloudfront.net\/uploads\/sites\/18\/2020\/11\/logo.png\",\"width\":1024,\"height\":1024,\"caption\":\"Picnic NL\"},\"image\":{\"@id\":\"https:\/\/picnic.app\/nl\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/picnicNL\/\",\"https:\/\/x.com\/picnic\",\"https:\/\/www.instagram.com\/picnic\/\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Responsible disclosure - Picnic NL","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/picnic.app\/nl\/responsible-disclosure\/","og_locale":"en_US","og_type":"article","og_title":"Responsible disclosure - Picnic NL","og_url":"https:\/\/picnic.app\/nl\/responsible-disclosure\/","og_site_name":"Picnic NL","article_publisher":"https:\/\/www.facebook.com\/picnicNL\/","article_modified_time":"2026-04-09T14:26:27+00:00","twitter_card":"summary_large_image","twitter_site":"@picnic","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/picnic.app\/nl\/responsible-disclosure\/","url":"https:\/\/picnic.app\/nl\/responsible-disclosure\/","name":"Responsible disclosure - Picnic NL","isPartOf":{"@id":"https:\/\/picnic.app\/nl\/#website"},"datePublished":"2026-04-09T14:26:26+00:00","dateModified":"2026-04-09T14:26:27+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/picnic.app\/nl\/responsible-disclosure\/"]}]},{"@type":"WebSite","@id":"https:\/\/picnic.app\/nl\/#website","url":"https:\/\/picnic.app\/nl\/","name":"Picnic","description":"De online supermarkt!","publisher":{"@id":"https:\/\/picnic.app\/nl\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/picnic.app\/nl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/picnic.app\/nl\/#organization","name":"Picnic NL","url":"https:\/\/picnic.app\/nl\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/picnic.app\/nl\/#\/schema\/logo\/image\/","url":"https:\/\/d2jxuf8ovdiw8x.cloudfront.net\/uploads\/sites\/18\/2020\/11\/logo.png","contentUrl":"https:\/\/d2jxuf8ovdiw8x.cloudfront.net\/uploads\/sites\/18\/2020\/11\/logo.png","width":1024,"height":1024,"caption":"Picnic NL"},"image":{"@id":"https:\/\/picnic.app\/nl\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/picnicNL\/","https:\/\/x.com\/picnic","https:\/\/www.instagram.com\/picnic\/"]}]}},"_links":{"self":[{"href":"https:\/\/picnic.app\/nl\/wp-json\/wp\/v2\/pages\/10718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/picnic.app\/nl\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/picnic.app\/nl\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/picnic.app\/nl\/wp-json\/wp\/v2\/users\/948"}],"replies":[{"embeddable":true,"href":"https:\/\/picnic.app\/nl\/wp-json\/wp\/v2\/comments?post=10718"}],"version-history":[{"count":7,"href":"https:\/\/picnic.app\/nl\/wp-json\/wp\/v2\/pages\/10718\/revisions"}],"predecessor-version":[{"id":10725,"href":"https:\/\/picnic.app\/nl\/wp-json\/wp\/v2\/pages\/10718\/revisions\/10725"}],"wp:attachment":[{"href":"https:\/\/picnic.app\/nl\/wp-json\/wp\/v2\/media?parent=10718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}