Report a vulnerability
If you find a vulnerability in one of our systems, let us know. That way, we can take measures to remedy it as quickly as possible. We are eager to work with you in order to more effectively protect our users and systems.
Not every flaw in a system is a vulnerability. Generally speaking, the flaws (misconfigurations) listed below do not pose a risk to security. We therefore ask you not to submit a report to us if you find one of the following flaws:
- A misconfiguration that does not affect the availability, integrity or confidentiality of information.
- The possibility of cross-site scripting on a static website or on a website that does not process any sensitive information and/or user data.
- The availability of version information, such as via an info.php file. A possible exception to this is when the version information shows that the system makes use of software with known vulnerabilities.
- The absence of HTTP security headers such as those used by Cross-Origin Resource Sharing (CORS) and others, unless this absence results in a demonstrable security issue.
Do not scan our entire network
Our policy of coordinated vulnerability disclosure is not an invitation to actively and extensively scan our network in search of vulnerabilities. We monitor our company network. This means there is a good chance that a scan will be detected, and our security team will launch an investigation. Unnecessary costs may be incurred as a result.
It is possible that, in the course of your investigation, you may commit certain acts that are punishable under criminal law. Provided you have complied with the conditions set out below, we will take no legal action against you. However, the Public Prosecution Service always retains the right to take its own decisions on whether or not to pursue criminal charges against you. The Public Prosecution Service has published a policy letter (in Dutch) on this topic.
Conditions for reporting vulnerabilities
We ask that you:
- send us your findings via our CVD report form as soon as possible;
- avoid abusing the vulnerability, such as by downloading more data than is necessary in order to demonstrate the leak or by altering or deleting data, and to be especially circumspect with personal data;
- refrain from telling others about the vulnerability until it has been resolved;
- refrain from making use of attacks on physical security or third-party applications, as well as avoiding the use of social engineering, distributed denial-of-service and spam;
- provide information that is detailed and clear enough to enable us to reproduce the vulnerability so that we can remedy it as quickly as possible. While in most cases, it will be sufficient to give us the IP address or URL of the affected system, along with a description of the vulnerability and the actions taken, we may need additional information if the vulnerability is more complex.
Our promise to you
We promise that:
- we will respond to your report within five working days, at which point we will share our assessment of the report and give a date on which the vulnerability is expected to be resolved;
- we will treat your report as confidential and will not share your personal details with third parties without your permission, unless we have a legal obligation to do so;
- we will keep you appraised of our progress toward fixing the vulnerability;
- you have the option to report a vulnerability anonymously or under a pseudonym. You should be aware that this means we will not be able to contact you about any subsequent actions, our progress toward repairing the leak or a possible publication, or in the event there is a reward for having reported the problem;
- if you wish, in our communications regarding the reported vulnerability, we will mention you by name as the party who discovered it;
- we strive to resolve all problems as quickly as possible and to keep all involved parties well informed. Once a vulnerability has been resolved, we welcome the opportunity to collaborate on a publication concerning that vulnerability.
Our policy is based on SURFnet's ‘Model policy and procedure for responsible disclosure in higher education’ and the sample policy from Floor Terra, which was published under a Creative Commons Attribution 3.0 license.