Purpose

RideOnTrack is committed to the security of its products and services. We encourage responsible disclosure of security vulnerabilities by security researchers, customers, and other third parties. This policy describes how to report a vulnerability and what you can expect from us in response.

Scope

This policy applies to security vulnerabilities discovered in any software product or digital service developed and maintained by RideOnTrack BV, including but not limited to the MCCS, MCX, FRMCS and Condition-based maintenance product lines.

How to Report a Vulnerability

Security vulnerabilities can be reported via:

• Email: info@rideontrack.com
• Subject line: “Security Vulnerability Report – [Product Name]”

Your report should include, where possible: a description of the vulnerability, the affected product and version, steps to reproduce, potential impact, and any suggested mitigation.

What to Expect from Us

Our Commitments

• We will not take legal action against researchers who report vulnerabilities in good faith in accordance with this policy.
• We will keep you informed of the progress of your report.
• We will credit you in our release notes or security advisory if you wish, upon resolution.
• We will handle your personal data in accordance with our Privacy Policy and GDPR obligations.

Our Responsibilities Under the CRA

In accordance with Article 14 of the EU Cyber Resilience Act, RideOnTrack will notify the national CSIRT (CCB/CERT.be) within 24 hours of becoming aware of any actively exploited vulnerability in its products, followed by a detailed report within 72 hours and a final report within 14 days.

Out of Scope

The following are outside the scope of this policy:

• Social engineering attacks
• Physical security issues
• Vulnerabilities in third-party products not developed by RideOnTrack.