Responsible Disclosure
Of course, we believe that our ICT systems should be secure, and therefore we strive for a high level of security. However, it can happen that a weak spot occurs in one of our systems. What you can do when you find a vulnerability can be read on this page.
This procedure is based on the Responsible Disclosure guidelines of the National Cyber Security Centre (NCSC) of the Dutch government.
Vulnerabilities in IT Systems
If you have found a weak spot in one of our IT systems, we would like to hear from you, so that we can apply the necessary measures as quickly as possible. We would like to work with you to better protect the security of our ICT systems. With this in mind, we implement the following policy regarding the handling of reports of vulnerabilities you have identified. You can hold us to this when you find a weak spot in one of the systems.
We ask you
- To email your findings to [email protected].
- To provide enough information to reproduce the problem so that we can resolve it as quickly as possible.
- Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but more may be needed for more complex vulnerabilities.
- To leave contact details so that we can get in touch with you to work together on a safe solution.
- Therefore, leave at least an email address or phone number.
- To make the report as soon as possible after discovering the vulnerability.
- Not to share the information about the security issue with others until it is resolved.
- To responsibly handle the knowledge about the security issue by not performing actions that go further than necessary to demonstrate the security problem.
We do not allow the following
- Placing malware.
- Copying, modifying, or deleting data in a system (an alternative for this is making a directory listing of a system).
- Making changes to the system.
- Repeatedly accessing the system or sharing the access with others.
- Using “brute-force” techniques to gain access to systems.
- Using denial-of-service or social engineering techniques and methods.
What you can expect
- If you comply with the above conditions when reporting a vulnerability you have identified in one of our ICT systems, there will be no legal consequences attached to this report.
- We treat a report confidentially and never share personal data without the consent of the reporter with third parties, unless legally or by court order required.
- In mutual consultation, we can mention your name as the discoverer of the reported vulnerability, if you wish.
- We will send you a confirmation of receipt within 1 working day.
- We will respond within 3 working days to a report with the assessment of the report and an expected date for a solution.
- We keep the reporter informed of the progress of resolving the problem.
- We will resolve the security issue in a system identified by you as quickly as possible, but at the latest within 90 days. In mutual consultation, it can be determined whether and in what way about the problem, once it is resolved, can be published.
- We may offer a reward as a thank you for the help. Depending on the severity of the security issue and the quality of the report, this reward can vary from, for example, a T-shirt to a maximum amount of €100. It must, however, be a security issue previously unknown to us and serious. And the security issue must not concern up-to-date and off-the-shelf software and/or Cloud services that we purchase.
- You can also be mentioned in our Hacker Hall-of-Fame, if you wish.
Making a report
Reports can be made via the email address [email protected]. Please ensure that the following matters (where applicable) are addressed in the email.
- Contact details:
- Name/nickname
- Email address
- Technical details:
- IP addresses
- Domain names
- URLs
- Elaboration of vulnerability:
- Explanation
- Impact or risk
- Proof-of-Concept
- Possible solutions
For more information, see this link: https://www.mite3.nl/.well-known/security.txt