Responsible disclosure – English

Bekijk hier de Nederlandse versie van deze pagina.

We take extensive measures to properly secure our computer systems. Despite our best intentions and vigilance, we are aware of the possibility of a vulnerability in our systems. Please contact us if you discover a vulnerability in one of our systems. This way we can quickly take appropriate measures. By reporting a vulnerability, the reporter agrees to the rules below. We will handle your report in accordance with the rules below.

View the Hall of Fame

What we ask of you

  • Please report a vulnerability in one of our systems by sending an email to informatiebeveiliging@sudwestfryslan.nl. Preferably send the report encrypted using OpenPGP to prevent it from falling into the wrong hands.
  • Include sufficient information to allow us to reproduce and investigate the problem so that we can fix it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability are sufficient. More complex vulnerabilities may require more information.
  • We welcome tips that will help us solve the problem. But please limit yourself to verifiable facts that relate to the vulnerability you have identified and avoid advertising/recommending specific (security) products.
  • Leave your contact details so we can get in touch with you to work together towards a safe result. Leave at least one email address or phone number.
  • Please submit the report as soon as possible after discovering the vulnerability.

The following actions are not allowed

  • Placing malware, either on our systems or on those of others.
  • So-called “brute forcing” access to systems, except when it is strictly necessary to demonstrate that the security in the targeted area is seriously deficient. That is, if it is extremely easy to crack a password that can seriously compromise the system using publicly available and affordable hardware and software.
  • Using social engineering. Except when this is strictly necessary to demonstrate that employees with access to sensitive data generally fail in their duty to handle it with care. This means that it is generally easy to persuade them to provide such data to unauthorized persons in a completely legal manner (i.e. not through blackmail or the like). You must exercise all care that can reasonably be expected of you as not to harm the employees in question. Your findings must be aimed exclusively at demonstrating apparent defects in the procedures and working methods within the municipality and not at harming individuals who work for the municipality.
  • Disclosing or providing third parties with information about the security issue before it is resolved.
  • Performing actions that go beyond what is strictly necessary to demonstrate and report the security problem. In particular when it comes to processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying a complete database, a directory listing would suffice. Changing or deleting data in the system is never permitted.
  • Making public or providing to third parties data of a confidential nature, such as privacy sensitive data.
  • Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
  • Abusing the vulnerability in any (other) way.

What you can expect from us

  • If you meet all the conditions above, we will not file a criminal complaint against you and we will not file a civil case against you.
  • If it turns out that you have not complied with any of the conditions, we may still decide to take legal action against you. We treat a report confidentially and do not share personal data of a reporter with third parties without their permission, unless we are obliged to do so by law or by a court decision.
  • We always share the received report with the “Informatiebeveiligingsdienst voor gemeenten” (IBD). This way we ensure that municipalities share their experiences in this area. By mutual agreement, if you wish, we can mention your name as the discoverer of the reported vulnerability. In all other cases you remain anonymous.
  • We will send you an (automatic) confirmation of receiving your report within 1 working day.
  • We will respond to a report within 3 working days with an (initial) assessment of the report and, if necessary, an expected date for a solution.
  • We will resolve the security problem you reported as quickly as possible. We strive to keep you well informed of the progress and never take longer than 90 days to resolve the problem. We are often partly dependent on suppliers.
  • We can offer you a reward as a thank you for your help. Depending on the severity of the security problem and the quality of the report, the reward can vary from a simple ’thank you’ to a sticker or a T-shirt.

In mutual agreement we can decide if and how the problem will be published afther it has been resolved.