Date of last update: 02/06/2020
We feel that our own IT-systems should be secure and exemplary and therefore we pursue the highest level of standards in regard to security. Yet it can happen that there is a vulnerability in one of our systems. What you can do when you find a vulnerability can be read on this page.
This procedure is based on the Responsible Disclosure guide of the National Cyber Security Center (NCSC) of the Dutch government.
Vulnerabilities in IT-systems
If you have found a vulnerability in one of the IT-systems of us, we would like to hear from you. This, so that we can apply the necessary mitigation as soon as possible. We would like to work with you to better protect the security of our IT-systems. With this in mind, we apply the following policy regarding the handling of reports of vulnerabilities identified by you. This you can expect this from us if you report a vulnerability in one of our systems.
We ask you
- Email your findings to [email protected].
- Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible.
- Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
- Leave contact information so that we can come into contact with you to work together on a safe solution.
- Leave at least an e-mail address or telephone number.
- Report this to us as soon as possible after discovery of the vulnerability.
- Do not share the information about the security problem with others until it is resolved.
- Act responsibly with the information about the security problem by not doing any actions beyond what is necessary to demonstrate the security problem.
We do not allow the following
- Placing malware.
- Copying, modifying or deleting data in a system (an alternative for this is making a directory listing of a system).
- Making changes to the system.
- To gain access to the system repeatedly or to share access with others.
- Making use of the so-called “brute-forcing” to get access to systems.
- Use denial-of-service or social engineering techniques and methods.
What you can expect
- If you meet the above conditions when reporting a vulnerability identified in one of our IT-system, no legal consequences are and will be attached to the report.
- We treat a report confidentially and we never share personal information without the consent of the reporter with third parties, unless this is required by law or pursuant to a court order.
- With mutual consent we can, if you wish, mention your name as the discoverer of the reported vulnerability.
- We will send you an acknowledgment of receipt within 1 working day.
- We respond within 3 working days to a report with the assessment of the report and an expected date for a solution.
- We keep the notifier informed of the progress of the problem.
- We resolve the security problem that you identify in a system as quickly as possible, but no later than 90 days. It can be determined in mutual consultation whether and how the problem can be published after it has been resolved.
- We may offer a reward as a thank you for the help. Depending on the seriousness of the security problem and the quality of the report, that reward can vary from, for example, a T-shirt to a maximum of € 100. It has to be an unknown and serious security problem for us. And the security issue should not concern up to date and off-the-shelf software and/or cloud services that we have purchased or use.
- You can also, if you wish, be mentioned in our Hacker Hall-of-Fame.
Reports can be submited via the e-mail address [email protected]. Make sure that the following items (when applicable) are addressed in the email.
- Contact details:
- Technical data:
- Elaboration vulnerability:
- Impact or risk
- Solution directions