Responsible Disclosure



Working on system security

Every day, specialists at Robeco are busy improving the systems and processes. This helps to protect the details of our clients against misuse and also ensures the continuity of our services. However, this does not mean that our systems are immune to problems. If problems are detected, we would like your help.

What can we expect from one another?

Report any problems about the security of the services Robeco provides via the internet. If you discover a problem or weak spot, then please report it to us as quickly as possible. Examples of vulnerabilities that need reporting are:

  • cross-site scripting vulnerabilities

  • SQL-injection vulnerabilities

  • encryption weaknesses


What do we expect from you?

Ensure that you do not cause any damage while the detected vulnerability is being investigated. Your investigation must not in any event lead to an interruption of services or lead to any details being made public of either the asset manager or its clients.

What do we do with your report?

A team of security experts investigates your report and responds as quickly as possible. We ask you not to make the problem public, but to share it with one of our experts. Give them the time to solve the problem. We will let you know what our assessment of your report is, whether we will provide a solution and when we plan to do that.

Rules of the game

There is a risk that certain actions during an investigation could be punishable. If you act in good faith, carefully and in line with the rules of the game supplied, there is no reason for Robeco to report you. So follow the rules as stated in these responsible disclosure guidelines and do not act disproportionately:

  • Do not use social engineering to gain access to a system.

  • Do not place a backdoor in an information system in order to then demonstrate the vulnerability, as this can lead to further damage and involves unnecessary security risks.

  • Make as little use as possible of a vulnerability. Only perform actions that are essential to establishing the vulnerability.

  • Do not edit or delete any data from the system and be as cautious as possible when copying data (if one record is enough to demonstrate the problem, then do not proceed further).

  • Do not introduce any system changes.

  • Do not try to repeatedly access the system and do not share the access obtained with others.

  • Do not use any so-called 'brute force' to gain access to systems. After all, that is not really about vulnerability but about repeatedly trying passwords.

How should you submit a report?

If you have detected a vulnerability, then please contact us using the form below.

What does not need to be reported via the disclosure point?

The disclosure point is not intended for:

  • submitting complaints about services

  • making fraud reports and/or suspicions of fraud reports from false mail or phishing e- mails

  • reporting viruses

  • submitting complaints or questions about the availability of the website


Describe your findings

Let's keep the conversation going

Robeco is an international asset manager offering an extensive range of active investments, from equities to bonds.

Read more
Robeco

Robeco aims to enable its clients to achieve their financial and sustainability goals by providing superior investment returns and solutions.

Important information: This website is prepared and issued in Australia by Robeco Hong Kong Limited (ARBN 156 512 659) (‘Robeco’) which is exempt from the requirement to hold an Australian financial services licence under the Corporations Act 2001 (Cth) pursuant to ASIC Class Order 03/1103. Robeco is regulated by the Securities and Futures Commission under the laws of Hong Kong and those laws may differ from Australian laws. The information on this web page is provided to you because Robeco reasonably believes that you are a "wholesale client" within the meaning of that term under section 761G(4) of the Corporations Act 2001 (Cth) ("Corporations Act") and not any other class of persons. This information is not an advertisement and is not intended to induce retail clients to acquire Robeco products. Retail clients who are interested in Robeco products should contact their financial adviser.