At the CIO Platform Nederland we find the security of our systems very important. Despite our concern for the security of our systems it is possible that there is still a weak spot.
If you have found a flaw in one of our systems, we would like to hear this from you so we can take action as soon as possible. We would like to cooperate with you in order to better protect our users and our systems.
Mind you, this is not an invitation to active extensive scan our website(s) and systems for vulnerabilities.
We ask you to (conditions for the recognition of Coordinated Vulnerability Disclosure):
- Mail your findings to this address
- Not to abuse the problem you found by downloading for example more data than necessary to show the leak or to take a look at third-party data, delete or modify, or eg. to place a 'backdoor'
- Not to share the problem with others until it is dissolved
- To delete all confidential information obtained through the leak immediately after the closing of the leak
- Not to use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications, and
- Provide sufficient information to reproduce the problem so we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability sufficient, but more complex vulnerabilities may be required.
What we promise:
- We will respond within one business day to your report to confirm receipt
- We strive to subsequently respond within 5 working days to your message with our assessment of the report and an expected date for a solution
- If you have taken the above conditions into account, we will not take legal action against you for the notification
- We treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to fulfill a legal obligation. Report under a pseudonym is possible, but may have implications for maintaining contact on a follow-up of the investigation into the report
- We will keep you informed of the progress of solving the problem,
- In reporting on the reported issue, we will, if you wish, mention your name as the discoverer, and
- We strive to resolve any problems as quickly as possible and we like to be involved in any publication about the problem after it has been dissolved..
If it turns out that a vulnerability can not be solved or is difficult to solve, or if high costs are involved in solving it, we reserve the right, in consultation with the discoverer, to consider the vulnerability as accepted risk and not to recover.
The Coordinated Vulnerability Disclosure scheme follows the guidelines of the National Cyber Security Centre (www.ncsc.nl) and the example of Coöperatie SURF U.A. (www.surf.nl).