Coordinated vulnerability disclosure

What to do when you discover a vulnerability?

• Mail your findings to cvd@doetinchem.nl. If possible, encrypt your findings with our PGP key to prevent the information from falling into the wrong hands. You can find the PGP key at the bottom of this page.
• Provide enough information to find and reproduce the problem so we can fix it as soon as possible. Your findings consist of:
  • an IP address or URL of the affected system;
  • a Proof of Concept (PoC) to show how you discovered the vulnerability;
  • if available the CVE number, which is a list of known vulnerabilities in software;
  • a clear description of the vulnerability. 
• Please submit the report as soon as possible after discovering the vulnerability. 
• We welcome tips that help us solve the problem. Please limit yourself to verifiable facts that relate to the vulnerability you have discovered and avoid that your advice is steered towards  advertising for specific (security) products.
• Leave your contact information so that we can get in touch with you to work together on a secure outcome. Leave at least one email address or phone number. 

Which actions are you not permitted to do? 

• Taking actions beyond what is strictly necessary to demonstrate and report the security vulnerability. Particularly where it involves processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying an entire database, you can normally suffice with, for example, a directory listing. Modifying or deleting data in the system is never permitted. 
• Disclosing or providing information about the security vulnerability to third parties before the vulnerability is resolved. 
• Abusing the vulnerability in any way by attacking via:
  • Physical security;
  • Making use of social engineering. This includes phishing;
  • Using techniques that reduce the availability and/or usability of the system or services (DoS attacks);
  • Placing malware, neither on our systems nor on those of others;
  • So-called "bruteforcing" of access to systems. 

What can you expect from us? 

• We treat your report as confidential. We do not share your personal information with third parties without your consent, unless we are required to do so by law or court order.
• We will send you an (automatic) acknowledgement of receipt within 1 business day. 
• We respond to your report within 7 business days with an (initial) assessment of the report and possibly an expected date for resolution. 
• We solve the security vulnerability you reported as soon as possible. We strive to keep you well informed of the progress and to solve the vulnerability within 90 days to. We are often partly dependent on suppliers in this respect.
• We may share the report with the “Informatiebeveiligingsdienst” (IBD). This is the CSIRT for Dutch municipalities. In this way we ensure that municipalities share their experiences   on security vulnerabilities. 
• The municipality may offer a reward as a thank you for your help. Depending on the severity of the security problem and the quality of the report, the reward may vary. However, it must be an unknown and serious security problem in which your report severely helps to improve the security of our systems.

If you comply with the above terms and conditions, we will not take any legal action against you or bring a civil case against you. If it appears that you have violated any of the above terms and conditions, we may still decide to take legal action against you. In doing so, we will consider whether you have acted in the public interest, proportionality and the subsidiarity requirement.