Coordinated Vulnerability Disclosure (English)

See our coordinated vulnerability disclosure hall of fame

Hall of Fame archives: (2023) (2022) (2021) (2020) (2019) (2018) (2017)

==

The Informatiebeveiligingsdienst (IBD or Information Security Service of Dutch Municipalities) contributes to enhancing the information security of Dutch municipalities.

Vulnerabilities in ICT systems of the IBD

If you have found a weak spot in one of the ICT systems of the IBD, the IBD would like to hear about this from you, so the necessary measures can be taken as quickly as possible to rectify the vulnerability. To deal with the vulnerabilities in the IBD ICT systems responsibly, we propose several agreements. You may hold the IBD to this when you discover a weak spot in one of our systems.

The IBD asks you:

  • To e-mail your findings to mailto:[email protected]. Encrypt your findings if possible with the PGP Key of the IBD to prevent the information falling into the wrong hands.
  • Provide sufficient information to reproduce the problem so that the IBD can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities.
  • Leave your contact details so that the IBD can contact you to cooperate on a safe result. At least, leave an e-mail address or a telephone number.
  • Report the vulnerability as quickly as possible after its discovery.
  • Do not share the information on the security problem with others until the problem has been solved.
  • Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem.

Avoid in any case the following acts:

  • installing malware.
  • copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system).
  • making changes to a system.
  • repeatedly accessing the system or sharing access with others.
  • using so-called “brute force” to access systems.
  • using denial-of-service or social engineering.

What you can expect:

  • If you comply with the conditions above when reporting the observed vulnerability in an ICT system of the IBD, the IBD will not attach any legal consequences to this report.
  • The IBD handles a report confidentially and does not share personal details with third parties without permission from the reporter, unless this is mandatory by virtue of a judicial decision.
  • In mutual consultation, the IBD can, if you desire, mention your name as the discoverer of the reported vulnerability in our Hall of Fame.
  • The IBD will send you a confirmation of receipt within one working day.
  • The IBD responds ASAP to a report with an assessment of the report and an expected date for a solution.
  • The IBD keeps the reporter up-to-date on the progress made with solving the problem.
  • The IBD solves the security problems observed by you in a system as quickly as possible, but no later than within 60 days. In mutual consultation, whether and in what way the problem will be published, after it has been solved, is determined.
  • The IBD offers a small token of appreciation for serious problems.

Vulnerabilities in ICT systems of third parties:

The IBD would like to hear if you find a weak spot in systems of Dutch municipalities. In this regard, the IBD will play a role as intermediary to achieve result together.

For reports on systems of municipalities:

  • The IBD will respond to a report within three working days by contacting the owner and giving you a response.
  • The municipality is primarily responsible for keeping the reporter informed about the progress made in solving the problem.
  • The IBD will help the municipality with advice so that the security problem can be solved as soon as possible.