Introduction
At MITE3, we strive for a high level of security in our ICT systems. However, vulnerabilities can still occur. We greatly appreciate your help in identifying and reporting them responsibly.
This procedure is based on the Responsible Disclosure guideline from the Dutch National Cyber Security Centre (NCSC).
Scope
This Responsible Disclosure policy applies exclusively to systems, applications, and infrastructure that are owned, operated, and directly managed by MITE3.
Findings related solely to third-party services, shared infrastructure, content delivery networks (CDNs), cloud platforms, or externally managed systems, including findings based only on DNS records (such as CNAMEs), are out of scope and will not be processed.
Found a Vulnerability?
Have you discovered a weakness in one of our systems? Please let us know as soon as possible via [email protected]. We’re happy to work with you to resolve the issue safely and quickly.
What We Ask From You
- Email your findings to [email protected]
- Provide sufficient information to reproduce the issue on a MITE3-managed system, including evidence that the affected asset is under MITE3 operational control (e.g. URL, IP address, and a brief description)
- Include a way to contact you (e.g., email address or phone number), so we can coordinate a solution
- Report the vulnerability as soon as possible after discovery
- Do not share your findings with others until the issue has been resolved
- Act responsibly with the knowledge: demonstrate the issue exists without causing further harm
What You Are Not Allowed to Do
To enable safe research without legal risks, the following actions are explicitly prohibited:
- Installing malware
- Copying, modifying, or deleting data
- Making changes to systems
- Accessing systems repeatedly or sharing access with others
- Brute-forcing access (using automated login attempts)
- Conducting Denial-of-Service attacks
- Using social engineering techniques (such as phishing or deceiving employees)
Non-Qualifying Reports
The following are not considered valid vulnerabilities:
- Findings based solely on automated scanning tools without manual validation
- Generic configuration observations without demonstrated security impact
- Issues affecting only third-party, shared, or externally managed infrastructure
- Reports concerning deprecated protocols or cipher suites without demonstrated impact on a MITE3-managed system
What You Can Expect From Us
If you adhere to the above conditions:
- No legal consequences will be associated with your report
- You will receive an acknowledgment within 3 business days
- You will receive a substantive response within 5 business days, including an assessment and expected resolution timeframe
- We will keep you informed of the progress
- We will resolve the issue as soon as possible, no later than 90 days
- Your report will be treated confidentially and your personal data will not be shared with third parties (unless legally required)
Reward
Depending on the severity of the security issue, its relevance to MITE3-managed systems, and the quality of your report, we may offer an appropriate reward.
Conditions:
- The vulnerability must be new and relevant
- The vulnerability must not relate to standard software or cloud services that we currently use
- You must enable us to verify the issue
Submit a Report
Send your report to [email protected]. If possible, please include the following:
Contact details:
- Name or pseudonym
- Email address
Technical details:
- IP address(es)
- Domain name / URL
- Relevant headers or payloads (if applicable)
Description of the vulnerability:
- Explanation of the issue
- Risk or potential impact
- Any proof-of-concept
- Suggestions for a fix
For more information, please see our security.txt file:
https://mite3.nl/.well-known/security.txt